Malware Analysis Report

2025-06-16 07:34

Sample ID 240601-ys52nsec66
Target 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983
SHA256 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983

Threat Level: Known bad

The file 328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983 was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 20:03

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 20:03

Reported

2024-06-01 20:06

Platform

win7-20240221-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE} C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C50E527-07FD-4c76-A471-A588FD4E4552} C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8652973A-9E9A-4337-B900-8AF2A0582249} C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E2511-E15D-43f9-BFD9-CD1888AAA72A} C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91481A97-0C26-4903-AA71-1C8A7C7A1552} C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}\stubpath = "C:\\Windows\\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe" C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583F0504-4668-4df7-862A-A3B7E32BB90E}\stubpath = "C:\\Windows\\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe" C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7} C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}\stubpath = "C:\\Windows\\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe" C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}\stubpath = "C:\\Windows\\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe" C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E} C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C50E527-07FD-4c76-A471-A588FD4E4552}\stubpath = "C:\\Windows\\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe" C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8652973A-9E9A-4337-B900-8AF2A0582249}\stubpath = "C:\\Windows\\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe" C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}\stubpath = "C:\\Windows\\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe" C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{583F0504-4668-4df7-862A-A3B7E32BB90E} C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}\stubpath = "C:\\Windows\\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe" C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}\stubpath = "C:\\Windows\\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe" C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57352ABD-CF91-4347-9A4D-2DBA277A61B9} C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}\stubpath = "C:\\Windows\\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe" C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91481A97-0C26-4903-AA71-1C8A7C7A1552}\stubpath = "C:\\Windows\\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe" C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0} C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB} C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe N/A
File created C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe N/A
File created C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe N/A
File created C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe N/A
File created C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe N/A
File created C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe N/A
File created C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe N/A
File created C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
File created C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe N/A
File created C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe N/A
File created C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
PID 2188 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe
PID 2188 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
PID 2928 wrote to memory of 2584 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2432 N/A C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
PID 2584 wrote to memory of 2752 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 2724 N/A C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
PID 2752 wrote to memory of 2988 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1528 N/A C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
PID 2988 wrote to memory of 2980 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2960 N/A C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1712 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
PID 2980 wrote to memory of 1712 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
PID 2980 wrote to memory of 1712 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
PID 2980 wrote to memory of 1712 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe
PID 2980 wrote to memory of 2320 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2320 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2320 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2320 N/A C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1496 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
PID 1712 wrote to memory of 1496 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
PID 1712 wrote to memory of 1496 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
PID 1712 wrote to memory of 1496 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe
PID 1712 wrote to memory of 2680 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2680 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2680 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 2680 N/A C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2524 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
PID 1496 wrote to memory of 2524 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
PID 1496 wrote to memory of 2524 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
PID 1496 wrote to memory of 2524 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe
PID 1496 wrote to memory of 2776 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2776 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2776 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2776 N/A C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe

"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"

C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe

C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul

C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe

C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{583F0~1.EXE > nul

C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe

C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{570AB~1.EXE > nul

C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe

C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B59C3~1.EXE > nul

C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe

C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{827E2~1.EXE > nul

C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe

C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{57352~1.EXE > nul

C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe

C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BD6E6~1.EXE > nul

C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe

C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91481~1.EXE > nul

C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe

C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6FF59~1.EXE > nul

C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe

C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9C50E~1.EXE > nul

C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe

C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{86529~1.EXE > nul

Network

N/A

Files

C:\Windows\{583F0504-4668-4df7-862A-A3B7E32BB90E}.exe

MD5 8ef79a307c0514f7934efa6ff26356fc
SHA1 e7f1f3384aa542cd1b8a3c962c187f516e26009d
SHA256 07734619d188010d73517565655e9aff5a8e5cfb11d337ef2dfd046377ea4d25
SHA512 f90d1d94642c8d6ba17ded1c57a55c5aa24081b107acfe0f6f96d44e1877a7b6a4bd128ee9af28c228e194af75012f82031ac823bf56f24ed104327e94b36a03

C:\Windows\{570AB2B4-CAA4-4e83-99DF-98C483A62FF7}.exe

MD5 3afcf82d1b8edb5c9090abb7753e444b
SHA1 d9980e74c151c3af9edf1dd67f064aada2d160ce
SHA256 7a8298e77d312fd5983d6fdc285b14ce2c2840e3a9c790fc01427c7dc9797d51
SHA512 232f7823907950d8a26a772977b0c3cd6dc2ecae58b817b2d73291b957758d6d089587ec1be20fef5de5fd86900a5901f709daa5467e6e288b22d060591e3847

C:\Windows\{B59C3DF5-88AB-4833-8DEC-CD8BA169A7AB}.exe

MD5 4f49d3221b169d0f443a764c561282cb
SHA1 3d07752cb308995a80cb876766ed74711d9b7ddb
SHA256 af591d9150a425cba862abc06f4ec24f6903a71cd324861d2532f3e8d31f3387
SHA512 b45d528f4439eaef642a4a2c8918217d2586b51bc8357ca4bee6d811dd35d9d8f0193a366b798a77ff22176038596faf2c850d44acf0c8d187a8b40174b73f8f

C:\Windows\{827E2511-E15D-43f9-BFD9-CD1888AAA72A}.exe

MD5 31b404dd80336db87af8e143e4861a89
SHA1 33ad0b796161075cee4a8eddec7c1552c20a7a5d
SHA256 c0255909237a8666a8001f37ae7d1384ebe4b949c2cf443defa93367f9fbf12d
SHA512 8ff7027db772dad7751fed0f4089d862c6264d07f0933282966e9902f75230e719f2394252d9d114c9c69ce49fe500846c2ae88723eda59aedbae9537c6e63e9

C:\Windows\{57352ABD-CF91-4347-9A4D-2DBA277A61B9}.exe

MD5 977e5dd93f71f11f74d5d4ea816cf6f9
SHA1 e986745c4d9f188892cc95dd9d8e98f2217bd359
SHA256 67f2a72a657e7f6073449a559de46f24ce925cb2ef436d5d3c01b2bc70ffb12a
SHA512 399a53a3b0ded53b43e526bc9c56f8f583f1e9f955313c828e28a445eb998bf482ad2b687b28f6524afc0707636621f4d332fda85e14f6cc0bd2b3966634e199

C:\Windows\{BD6E6FBB-7DAF-428d-9DC6-E2DD898ECBDE}.exe

MD5 72c09f7f23d748277502275714aeafa1
SHA1 81803bbe706c107a69404fad679ea370338808f3
SHA256 00ad61d000ac006e238111f34d0613dda329514a69f61b3cb07614ab3c5cb8c2
SHA512 819c6a18538e5e25856917f45674926a1de94d53ed1ec1e313860e9f277c765a5e606dfc61728a38fd37ed1fbc99c14c7ca4d05e6e449c92ca93367a7f7f2584

C:\Windows\{91481A97-0C26-4903-AA71-1C8A7C7A1552}.exe

MD5 988418e4add61b65a248160e1a56a428
SHA1 495dd4940359038d5b3e53aa74534163aad270ba
SHA256 5add6355bfcc0bb0c879bb88356b929794ddf97bce632377da690c8f657b4377
SHA512 926b59c7868108caa467fb6b9042e0850bff243a7eb4fa64dce2b7bec81da05c67c05815173ebaba417e4e3567096b7059ec26acac2facdc0acaeef8322bdee9

C:\Windows\{6FF595D9-519A-45ef-A7B9-CAF818A6B04E}.exe

MD5 7e66924e521182f1eb8ae885ddae7938
SHA1 eef92e542ae9175da4961f84f8ac9ac72daaf70d
SHA256 9ea41dbb280294aefd2b2ed4993534316fe54e44f7915695b7c3b7c26aec59d6
SHA512 93aceaf953211ee8343197257b5913e9dc5f5813ae6f2c43812752f598996a0d7e056e4b5bd97fa15b8ad5601322c81c56f7701d9a8c5c0e63effd237f55b4e8

C:\Windows\{9C50E527-07FD-4c76-A471-A588FD4E4552}.exe

MD5 51211d298ef322603045acbe6e77f5ac
SHA1 44e76636581a54fe0a26c2884c29f01a2c2a05ee
SHA256 04d001b7a94318308d066e0852008e5fcf28cb8682f99da7262032065a60c6de
SHA512 7de8ffec4d2bd4f798d4f55424bd1675ee45b9ec4f7e0b85978f89d89d090558749fe37b99f9e5c3b161927ebff1f729ee91591abbea91490e4bb2359ed77b61

C:\Windows\{8652973A-9E9A-4337-B900-8AF2A0582249}.exe

MD5 6943f16399b2a8d5e125e001809383d7
SHA1 13f2efd26bee2a7f51eae69d3dbc88863f8f2ca4
SHA256 657bd5f41c575ba61ab12d6b0c40fb50199feece7d9755caa994dcc35ecac670
SHA512 e68f4fd31458f53ea26e3ab33cc1c99a2763d620416adf396e5ce1b07fbc436674f539ce71254132aca940d19ab3611afe60635e79c3473090f644b25bdd3cac

C:\Windows\{FB5F4AD3-8F67-48b4-AFAA-263EDE19EAF0}.exe

MD5 abe565f508e135d0e5c6379e4a4fd601
SHA1 9eda7b23016c4f44986c4eaa3fe4babdac400238
SHA256 723ced98d1c460592ff954c38636466cc855cabad779689b890b3d986b9bccd9
SHA512 cd0e1c55d646f93755eb45c00f9fe602dfefe0fd9b893636db72ef5560157b1be23a0450e6af8d363445450f7a4ee9a8400fc30340a5c4fd8b67890f03bb0e29

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 20:03

Reported

2024-06-01 20:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}\stubpath = "C:\\Windows\\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe" C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6724A17D-E6C6-4b8b-A079-06088FCEAC38} C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}\stubpath = "C:\\Windows\\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe" C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}\stubpath = "C:\\Windows\\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe" C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377AA324-DAC6-456d-BFD7-9E025BB67430}\stubpath = "C:\\Windows\\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe" C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4} C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}\stubpath = "C:\\Windows\\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe" C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}\stubpath = "C:\\Windows\\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe" C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}\stubpath = "C:\\Windows\\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe" C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}\stubpath = "C:\\Windows\\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe" C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}\stubpath = "C:\\Windows\\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe" C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785} C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C880EA27-C463-46bf-8BE4-0D584F116BC4} C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E8F43B6-E5AF-454c-B91E-993D578C4D30} C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8} C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C880EA27-C463-46bf-8BE4-0D584F116BC4}\stubpath = "C:\\Windows\\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe" C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E6EA05B-4D0E-417a-834D-C612AD3147F6} C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89A0A96-B505-4753-8214-302EDFFD0D1A} C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A89A0A96-B505-4753-8214-302EDFFD0D1A}\stubpath = "C:\\Windows\\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe" C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3CD81BE-666F-4ad8-BBB0-5D314E634756} C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377AA324-DAC6-456d-BFD7-9E025BB67430} C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{475B84CB-6E53-4d93-99BF-B804DBDF097C} C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BF07D9D-2D7D-42d4-BC63-49842053B16C} C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{475B84CB-6E53-4d93-99BF-B804DBDF097C}\stubpath = "C:\\Windows\\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe" C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe N/A
File created C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe N/A
File created C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
File created C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe N/A
File created C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe N/A
File created C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe N/A
File created C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe N/A
File created C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe N/A
File created C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe N/A
File created C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe N/A
File created C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe N/A
File created C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe
PID 1808 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe
PID 1808 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe
PID 1808 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 1796 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe
PID 1040 wrote to memory of 1796 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe
PID 1040 wrote to memory of 1796 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe
PID 1040 wrote to memory of 2272 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 2272 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 2272 N/A C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 5052 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe
PID 1796 wrote to memory of 5052 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe
PID 1796 wrote to memory of 5052 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe
PID 1796 wrote to memory of 4736 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 4736 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 4736 N/A C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 3836 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe
PID 5052 wrote to memory of 3836 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe
PID 5052 wrote to memory of 3836 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe
PID 5052 wrote to memory of 4232 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4232 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4232 N/A C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4660 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe
PID 3836 wrote to memory of 4660 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe
PID 3836 wrote to memory of 4660 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe
PID 3836 wrote to memory of 1020 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 1020 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 1020 N/A C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 4288 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe
PID 4660 wrote to memory of 4288 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe
PID 4660 wrote to memory of 4288 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe
PID 4660 wrote to memory of 1576 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 1576 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4660 wrote to memory of 1576 N/A C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 2916 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe
PID 4288 wrote to memory of 2916 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe
PID 4288 wrote to memory of 2916 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe
PID 4288 wrote to memory of 2592 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 2592 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 2592 N/A C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2864 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe
PID 2916 wrote to memory of 2864 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe
PID 2916 wrote to memory of 2864 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe
PID 2916 wrote to memory of 4796 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4796 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 4796 N/A C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 3624 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe
PID 2864 wrote to memory of 3624 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe
PID 2864 wrote to memory of 3624 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe
PID 2864 wrote to memory of 2456 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2456 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2456 N/A C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4236 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe
PID 3624 wrote to memory of 4236 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe
PID 3624 wrote to memory of 4236 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe
PID 3624 wrote to memory of 4076 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4076 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4076 N/A C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe
PID 4236 wrote to memory of 4344 N/A C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe
PID 4236 wrote to memory of 4256 N/A C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe

"C:\Users\Admin\AppData\Local\Temp\328fb41538fe7ce487e03ac503d4da4ab047dfa65c72d4dcea6f39223be79983.exe"

C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe

C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328FB4~1.EXE > nul

C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe

C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{51CA5~1.EXE > nul

C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe

C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2BF07~1.EXE > nul

C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe

C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C5~1.EXE > nul

C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe

C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C880E~1.EXE > nul

C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe

C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8E6EA~1.EXE > nul

C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe

C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A89A0~1.EXE > nul

C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe

C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F3CD8~1.EXE > nul

C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe

C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{377AA~1.EXE > nul

C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe

C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{475B8~1.EXE > nul

C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe

C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{0D8BC~1.EXE > nul

C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe

C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6724A~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

C:\Windows\{51CA59E9-6FF5-4dc8-9117-73B49F4FD5E8}.exe

MD5 6d2700d43ab214f5bb945b1109c599d9
SHA1 1263dffd884fa619450524b3058c1eeb0cb5e178
SHA256 58f5647342fb23e52de8e8f4dabb9e02a834b2c6276f62bb5079060675615366
SHA512 1cc8df890b36dbd108b1ca3ea65411b5d1eafbcff4d18632979aa3b5b28469e757e3b26becece3b10056936e4aa9c21ef91a5d4b8fd3fae4547636a6fe6ef7ff

C:\Windows\{2BF07D9D-2D7D-42d4-BC63-49842053B16C}.exe

MD5 fb9fa6901e08ed29ca0e4ec54a27b66a
SHA1 99ac0efef58918cd8cf5225e7338671444a1dc76
SHA256 98b2209488d63e2efafa0bfa4069fd6b36fa32382c3ecd7530d9ce9740a1c212
SHA512 0d664bc91ec44172b4223a10be7666bcdc155230920cd6acf97b771d8c2a14c4dcb2c833d221d0734a90897276ffaddf26657c3330ceb1e8028c5706fe2cb68d

C:\Windows\{C73C5DFC-803B-40aa-9E4E-953DF0EAC785}.exe

MD5 a281229ec9b9ebb9ef4a4e33b820b90c
SHA1 920dbf3bcbe109e43cec76fe8ebec74a8c1b9ae7
SHA256 55dca7929eac6405eabc62adde148538b575849772d269db273fa253bf931e45
SHA512 4039c1d72508f6bddf103613669ef4f92c5e4ce578ddddab71c1a3b1af28d3100bae9892c0d271f37700156477b3804ef9a3328487f13bc5b6d861da34a8694b

C:\Windows\{C880EA27-C463-46bf-8BE4-0D584F116BC4}.exe

MD5 d6fecf1449760d73a4a3ab18b2b8c220
SHA1 1d0e8f33234b401390f00cef3193921493144808
SHA256 c42ab485d30e8a13b81ec73f9fc3e775baeed5e08cb2538f67a1d0b0147893dc
SHA512 b86b980fda3d40a44d688979a91fbc5a55d3010fed1f48dd342a38a3619bd51b4a9f0a7556b9232e59e858c3299d0ba66552044082f97172274b2dbb1fc366c5

C:\Windows\{8E6EA05B-4D0E-417a-834D-C612AD3147F6}.exe

MD5 21f0859469d4b20a5fae45dd36d97681
SHA1 54a22929f240db0a65a28576c1211b1637d2cf56
SHA256 cfb8e2a8fbd7ad3e75498d7784a123871987f6b989b1d319bbb5610d3c8f1016
SHA512 113f8419f540966943c269be871e5764a914d188b5eb6fd0cfdbdcb9c316a42bee7569909f9efe50662643356c2c9bedb070b9d71e52434318c39e141e954b81

C:\Windows\{A89A0A96-B505-4753-8214-302EDFFD0D1A}.exe

MD5 2310ec4b0e5a155db4071feda377c54b
SHA1 fac5f67df40339ec44915781c45aac5b81932320
SHA256 8a984ebccea2244e1c204830e5f1bbce70d76adca0a3ee3501452d230020e6c9
SHA512 9da637136be898192af27c5f8473dafc19aed9a89a324890b20f9174d85ca185f88a763e8bba2401ad1ed974e56f8b0e88f32920482bf2a2db8d36290b42ab56

C:\Windows\{F3CD81BE-666F-4ad8-BBB0-5D314E634756}.exe

MD5 31b424f2aeb7f298585b569401b805e0
SHA1 ad7e98bcc10175b6ee1a5fd37a24d66e12158397
SHA256 4dc964f34d897e3b9223ba062f4c6d1999a7e3414f682fc3e0830a39887b1ead
SHA512 018587a261d58e0aa91adbd30cca17309a7b51486fe08f0076f1fde0580f9d3852ee6c55568b1b3f19585594217df38b872992263c3fd81ce2c06755759a5f7d

C:\Windows\{377AA324-DAC6-456d-BFD7-9E025BB67430}.exe

MD5 e6009c9425a572bc42480d766f45c186
SHA1 643845a4e37b0cd54f99a86e84c7d614f34dba40
SHA256 2562b680ec15ed8610d0bfca107a1ee9b2574c4a44b3a3d9b8462b7886a2bbab
SHA512 0877e89127977d3336df22529123f0e418cda75d085656742a2a3b6506b3daccd2ce0aa564066abe24ccdad3ed0787ef2d693bee944f7b66d60fc8c86f873957

C:\Windows\{475B84CB-6E53-4d93-99BF-B804DBDF097C}.exe

MD5 b2dc160dc4ac176fab18183229680489
SHA1 8ec186440e344fa0f3b4aa8a25d68ecbd4c4710f
SHA256 b296bfebee036455937a488aec27b2e667d0f06a2417fca4f9f750b195374cb4
SHA512 be38723f1cde4a2c0060c64a6bd5cd9a2f0e18e0b54fb3f07a4eb1d03827208c38badd8630bbaabbf4b804cb79814bb1aefebffa76bf98f94bb7efae1217122b

C:\Windows\{0D8BCD23-6AC9-461a-9FBA-8C6B2BC184E4}.exe

MD5 dd5f7f1ecf35984973d3759799e7e1be
SHA1 80cb8c95b0c2adb0223320c4dfdd5f79c9f16d67
SHA256 ec55af99e27e91f6367a47e1a99ded0926acd3cc8c29199b08703dba435f4d10
SHA512 16f2af022d1407a66ad090bebb08de6497df2c8e372117c2bd2d6a84623a23fbf9b9c9840ba950cc2efae689f8df8c863a4ba8a600ae28fe5d4d9a9931c1ddb8

C:\Windows\{6724A17D-E6C6-4b8b-A079-06088FCEAC38}.exe

MD5 18ea16050465512f9aae2af01e27c481
SHA1 ded90b771c7eca7c77e989c1954713abb8c0a69b
SHA256 22079bde503d3a6ead1cb044a84c9d751892f82f999d4952d48aa363c8fce2ba
SHA512 86ef288b784d69528278b82c608d50fb7b6c1fd66c5b988c2eb19c9c483044f0d4bcd2a057218230433b9ff3600877abccacd82f7914017d246191257f278dc6

C:\Windows\{2E8F43B6-E5AF-454c-B91E-993D578C4D30}.exe

MD5 9ab018879f61459b2ade7a4049f3b746
SHA1 68355f5b386fb8dffef310e048ca2ef8b3e7ba58
SHA256 bec32f36f2b1662aa6f56c646d4e5bb236e756295afb4c5d8b909a5f670c7de3
SHA512 4377c6d8ffec6fbd07c9d5fe9e6da4bcfff0c7f17b577efffd79d165a851421859c0909402f588cbb3d87250ceacfc09676f14aed3e129e2dffd399e38a7da64