Analysis Overview
SHA256
5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1
Threat Level: Known bad
The file 5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1 was found to be: Known bad.
Malicious Activity Summary
Detects Windows executables referencing non-Windows User-Agents
Detects Windows executables referencing non-Windows User-Agents
Modifies Installed Components in the registry
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 22:11
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 22:11
Reported
2024-06-03 22:14
Platform
win7-20240221-en
Max time kernel
144s
Max time network
124s
Command Line
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9991D2-EE11-4c2e-A907-441E46B73E24} | C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1328DD-607D-4669-9725-C76D4F098078} | C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E2B0114-8F7A-430c-B713-0E7664872299}\stubpath = "C:\\Windows\\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe" | C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}\stubpath = "C:\\Windows\\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe" | C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16205371-AFE7-42a2-BDCA-1E5C7420C780}\stubpath = "C:\\Windows\\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe" | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA9991D2-EE11-4c2e-A907-441E46B73E24}\stubpath = "C:\\Windows\\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe" | C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5F781-3BE4-4752-9C56-43AE49529FE4} | C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}\stubpath = "C:\\Windows\\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe" | C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}\stubpath = "C:\\Windows\\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe" | C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{085765FF-F557-45aa-A205-ACA6B029EB3F}\stubpath = "C:\\Windows\\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe" | C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}\stubpath = "C:\\Windows\\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe" | C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}\stubpath = "C:\\Windows\\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe" | C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E2B0114-8F7A-430c-B713-0E7664872299} | C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C} | C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}\stubpath = "C:\\Windows\\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe" | C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16205371-AFE7-42a2-BDCA-1E5C7420C780} | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB} | C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4} | C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED1328DD-607D-4669-9725-C76D4F098078}\stubpath = "C:\\Windows\\{ED1328DD-607D-4669-9725-C76D4F098078}.exe" | C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{085765FF-F557-45aa-A205-ACA6B029EB3F} | C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60EDBBF4-AEC3-4661-99F2-16934D2E218A} | C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2} | C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe | N/A |
| N/A | N/A | C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe | N/A |
| N/A | N/A | C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe | N/A |
| N/A | N/A | C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe | N/A |
| N/A | N/A | C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe | N/A |
| N/A | N/A | C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe | N/A |
| N/A | N/A | C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe | N/A |
| N/A | N/A | C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe | N/A |
| N/A | N/A | C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe | N/A |
| N/A | N/A | C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe | N/A |
| N/A | N/A | C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe | C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe | N/A |
| File created | C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe | C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe | N/A |
| File created | C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe | C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe | N/A |
| File created | C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe | C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe | N/A |
| File created | C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe | C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe | N/A |
| File created | C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe | C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe | N/A |
| File created | C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe | C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe | N/A |
| File created | C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe | C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe | N/A |
| File created | C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| File created | C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe | C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe | N/A |
| File created | C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe | C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe
"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"
C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F45BC~1.EXE > nul
C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16205~1.EXE > nul
C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA999~1.EXE > nul
C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B5F~1.EXE > nul
C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{57C40~1.EXE > nul
C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{392AF~1.EXE > nul
C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{ED132~1.EXE > nul
C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2E2B0~1.EXE > nul
C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe
C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{08576~1.EXE > nul
C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe
C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D3614~1.EXE > nul
C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe
C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{60EDB~1.EXE > nul
Network
Files
memory/996-0-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{16205371-AFE7-42a2-BDCA-1E5C7420C780}.exe
| MD5 | ba6a5c8d050951ec4efb0460f3a8c4fb |
| SHA1 | 65d19eaef6456e7f997232d39fda9f007d2b4d48 |
| SHA256 | 11277f0288f9b6071e574f05ee36654774e36ffd1deafe1b4ccff34171c5f85e |
| SHA512 | 084e788d7f6f75043a30e3b482195f7cbb0a75f5e6b0a069541af20486ebbb50dabd5047d57fa7730e2b38033bca9501f66748d2669d8a07f08b7e38a743470c |
memory/3060-9-0x0000000000400000-0x0000000000410000-memory.dmp
memory/996-8-0x0000000000280000-0x0000000000290000-memory.dmp
memory/996-7-0x0000000000280000-0x0000000000290000-memory.dmp
memory/996-10-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3060-14-0x0000000000670000-0x0000000000680000-memory.dmp
memory/3060-19-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{DA9991D2-EE11-4c2e-A907-441E46B73E24}.exe
| MD5 | 6783b7f60ae050b80f523c7a9b9bc60e |
| SHA1 | 28b8849bdccde3ba51bfe190d9918b3a472039d4 |
| SHA256 | 3841426a59a27c8ec1a36b4068033d51095a9b074fd43b1596ba0da46b5dc61c |
| SHA512 | c220a86c64e2e1dc61cf3accaf1f065925d4c90d6b8ed01e9d0806f45b5d306746c5b1b4f359ccf77e4c659b35012d10343a42076c8ede20a7fdc55f0d8388f5 |
memory/2712-20-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2712-24-0x0000000000280000-0x0000000000290000-memory.dmp
memory/2712-29-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{E7B5F781-3BE4-4752-9C56-43AE49529FE4}.exe
| MD5 | d312036e81f42e35058c0294e8eb9ecf |
| SHA1 | 1fafbc627e431d4170218a5159a753c3c60c93c9 |
| SHA256 | 255b8f5618907579758c494ea2495765ae01972f04f6271a952329a09263c0ab |
| SHA512 | d337a564d28235c42c56c7a4c38cc3f05877c7afc505b70ede8a55d6c22a659709efba16739f9217c104ce2d64ece50f8809dbcec1948863aba55658067a0ee7 |
memory/2396-30-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2816-39-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2396-38-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{57C40D68-DABE-4c66-B9D6-9B8A5DF9C3BB}.exe
| MD5 | e13272d4c725b13c5e77e6b29aaf52db |
| SHA1 | 4c8bfac0ab5785b5cacad8a83f9e26f2c925cc48 |
| SHA256 | f65fc52f5ba8a765eb17479028f09f4e60002742a75b6f1717627a2f96fa039d |
| SHA512 | bf46c87651a4c5b0a7eab2ee4c65ba27ded46db069432fbbd91c5363780240852f4901e28e3d808bdfaf935feaba021093344b08d1571ec16cef9bd3c1ec0e59 |
memory/2816-43-0x00000000005A0000-0x00000000005B0000-memory.dmp
memory/1456-49-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{392AF362-BE4A-48a0-B4C5-55E0FB9BF5C4}.exe
| MD5 | 27e2a10a4bb8d50fac77c1177805ac72 |
| SHA1 | c7c1df1cac8b45b66601d0e3b4cf67d5db640ebf |
| SHA256 | 87b6f7a9f77d5c48e7eb29cf4f71e29101f2c9f3cf8307e24e9d4c756db9d228 |
| SHA512 | 8f44298a16b46baab9b3d43a208f3d3a308004c03630866b8cda390c4d5be7811b644a83c4b340938cd70ed2242901d0114be572270326c201c178b572cb030f |
memory/2816-48-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1456-57-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{ED1328DD-607D-4669-9725-C76D4F098078}.exe
| MD5 | d93953b37ee9cc9a39f595b3dff7ce8d |
| SHA1 | 29a9ca6bf4b2755d1e4951ced453a791c75aeb99 |
| SHA256 | 2a55217364d10a32669e5d360e1e795be9d2b88deb64d5025e566ae1668d47b3 |
| SHA512 | 5b8aa85270cda6e6a27e7f8b842a2d6af15ab21a52156a19618066ddebbeec704516e780892e04566f135a6afce66a18800cbfd8a3909aa412e694a68bc1946f |
C:\Windows\{2E2B0114-8F7A-430c-B713-0E7664872299}.exe
| MD5 | 3ca5f84a6ed0b7fb3085c99b80aef59e |
| SHA1 | b67571e27a8a8c27d2a4869f7f344c5117172423 |
| SHA256 | 2dc7605a05b690c1c4b703d7d05a2b4de8f0e7def6e5055e96ea88d0ff1f0b83 |
| SHA512 | 396af47a1887194f5a58134313cbfeba7b31f7621f634c0de05622315de9e4b4cfe3741ffb9e1bd32214a3463505ed6a02c5bc989574830a758e0ab44c8d4933 |
memory/2460-61-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2460-66-0x0000000000400000-0x0000000000410000-memory.dmp
memory/812-67-0x0000000000400000-0x0000000000410000-memory.dmp
memory/812-75-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1360-76-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{085765FF-F557-45aa-A205-ACA6B029EB3F}.exe
| MD5 | 9b6584269054317d82bab3be76ba5052 |
| SHA1 | 450ef77ca54b09d8e6b438570812c80b985783f5 |
| SHA256 | f70bca02992f6068e39a8d1eba3b821e875b49d51d24cba1c14eefe7a0f3444c |
| SHA512 | 3f465525ebb7cd439ed1eccc248246d7b8fd50b5aca1b7ae60dd25c7bab9e169c58f065a40161cc931f6baec74e792b3a9f9f796ce89c0bffa0d3790edc1a9db |
memory/1360-84-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{D3614BCB-F3A3-4cd4-AC76-CEB5545BD80C}.exe
| MD5 | 4ecf9777474f33ac62170c5d407fd6f0 |
| SHA1 | 8fb32c2829ea2236aaa03c9f6cb590c7c3b8fb09 |
| SHA256 | 91cc989d65799c96be8335e8411d5590738f3a92f6a7a7f3350b4ae31fe748ba |
| SHA512 | 532bf162a49ffb972eaaa18bd2c429f0ae4f4465755586b379c22a0db16ebdc0f56aa118e3b3ad1adfb0ab69110490e63dc12d52e77beb798f56efe1592129e0 |
C:\Windows\{60EDBBF4-AEC3-4661-99F2-16934D2E218A}.exe
| MD5 | 3781d2337634541d3804ce9d0d04d261 |
| SHA1 | 641ceb617a3e694631b6b22973ab28aec775dac7 |
| SHA256 | 3d30acfe6fa1e04e06cacf20e074a029bb70206d581b80262c983e4e1baa67ff |
| SHA512 | f6ddebbdf6b2d52c9b1820b5dcc065bdf69cddc1751b3c20482dec87e8b43f43d59a2b1c8dbbee89e6a817735d282f88327840a0258f995b3ce676162e46a1fd |
memory/1264-92-0x0000000000400000-0x0000000000410000-memory.dmp
memory/588-96-0x0000000000270000-0x0000000000280000-memory.dmp
memory/588-101-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{9C8EED3E-93FE-4677-A0C7-41A9AC1579A2}.exe
| MD5 | 4b031e52efde529fd162263fb139ffc3 |
| SHA1 | 1afbed68a76e230053717c60cc4ff60dc59abc73 |
| SHA256 | fbd5456b551127f3526fbc5399bb9af9d7d765a14392c7b747a5660061a7d568 |
| SHA512 | 9093c3932a960d9977de12b468a7478138f906a626017c93b83709a7ff7d537ee376f54241a45201648e21745da545c841d8bb68f2de716154272c787e63af52 |
memory/1204-102-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 22:11
Reported
2024-06-03 22:14
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
95s
Command Line
Signatures
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}\stubpath = "C:\\Windows\\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe" | C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A52924-E66E-4862-B0AD-D1071EA6700D}\stubpath = "C:\\Windows\\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe" | C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98907E83-B3CD-4f8f-803E-64C21A71F366} | C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B1D440-F6FD-4646-83D1-344602913843} | C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA255D99-9949-4920-ABF8-013A56932847} | C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F3753D4-D7A5-44eb-93F4-23A80F66707C} | C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A9AD0E-226F-45bf-A99B-B566D60C0988} | C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83BE808-D192-4483-9695-33F6E94F0F87}\stubpath = "C:\\Windows\\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe" | C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951453FB-B63D-4998-A49A-5E49F225FE48}\stubpath = "C:\\Windows\\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe" | C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}\stubpath = "C:\\Windows\\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe" | C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8811E4-0583-4fc5-8701-D4FA592B32B0} | C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3078F-BDBE-4e73-AC48-A137A5FBD366} | C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}\stubpath = "C:\\Windows\\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe" | C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98907E83-B3CD-4f8f-803E-64C21A71F366}\stubpath = "C:\\Windows\\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe" | C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A40B1C-3C12-4cd5-8727-A28004CA6C39} | C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}\stubpath = "C:\\Windows\\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe" | C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B1D440-F6FD-4646-83D1-344602913843}\stubpath = "C:\\Windows\\{77B1D440-F6FD-4646-83D1-344602913843}.exe" | C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B} | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}\stubpath = "C:\\Windows\\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe" | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA255D99-9949-4920-ABF8-013A56932847}\stubpath = "C:\\Windows\\{DA255D99-9949-4920-ABF8-013A56932847}.exe" | C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}\stubpath = "C:\\Windows\\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe" | C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A83BE808-D192-4483-9695-33F6E94F0F87} | C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{951453FB-B63D-4998-A49A-5E49F225FE48} | C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09A52924-E66E-4862-B0AD-D1071EA6700D} | C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe | N/A |
| N/A | N/A | C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe | N/A |
| N/A | N/A | C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe | N/A |
| N/A | N/A | C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe | N/A |
| N/A | N/A | C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe | N/A |
| N/A | N/A | C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe | N/A |
| N/A | N/A | C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe | N/A |
| N/A | N/A | C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe | N/A |
| N/A | N/A | C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe | N/A |
| N/A | N/A | C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe | N/A |
| N/A | N/A | C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe | N/A |
| N/A | N/A | C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe | C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe | N/A |
| File created | C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe | C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe | N/A |
| File created | C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe | C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe | N/A |
| File created | C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe | C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe | N/A |
| File created | C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe | C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe | N/A |
| File created | C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe | C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe | N/A |
| File created | C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe | C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe | N/A |
| File created | C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe | C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe | N/A |
| File created | C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe | C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe | N/A |
| File created | C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe | C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe | N/A |
| File created | C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe | C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe | N/A |
| File created | C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe | C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe
"C:\Users\Admin\AppData\Local\Temp\5f45bcf7a3c955d184cb42c1c1d74426fb2cd7fa3641308efbdd6b7f958d0fe1.exe"
C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F45BC~1.EXE > nul
C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF0B0~1.EXE > nul
C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DA255~1.EXE > nul
C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6F375~1.EXE > nul
C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B7A9A~1.EXE > nul
C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A83BE~1.EXE > nul
C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{95145~1.EXE > nul
C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{02F30~1.EXE > nul
C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09A52~1.EXE > nul
C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98907~1.EXE > nul
C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{77B1D~1.EXE > nul
C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe
C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23A40~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4780-0-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{DF0B0D03-9B8B-4e02-8AFD-AC26BE21485B}.exe
| MD5 | 5f13f88e774ff8d338a778d54e2ff767 |
| SHA1 | fe6b721c8e76feab421798c9c232b00006595c11 |
| SHA256 | 09277c2115ba79a823c89df2b7b2a2d81487e2fd8e4a223a9332458bf59d36ac |
| SHA512 | 0cb9eeda0dbdd2359b05c417af001e194a852002d38c20908d1e68e0466882889a80a7d3148d0b5d40ba1884be1588e53e1e636781ab70462d87e3e3ff2f0893 |
memory/2720-4-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4780-5-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2720-11-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{DA255D99-9949-4920-ABF8-013A56932847}.exe
| MD5 | 7b45d1ea8ac8c1aa50ef90950fc44ec4 |
| SHA1 | 43a61f3ddffc5ba0a88c2deeb2f5931848eb514b |
| SHA256 | 2c5beec8d9aca4f6195102c993b670be99301eac89c11508f793f4701dca0f8b |
| SHA512 | 50b7a2e6d6ca62f9b47c650a4224ba70483d8dd75d332cf6701ee21d3b543c5951c4ff438707bdf360872097342058fcdeca51771764f877b59c5ad333c57c7e |
memory/680-12-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{6F3753D4-D7A5-44eb-93F4-23A80F66707C}.exe
| MD5 | 1a503adb9b327505fb24bddf21838a11 |
| SHA1 | b7a9a6d621e01941913fa0e86ffa1351b97346ea |
| SHA256 | ff48c983068ff4732a1461b26b9014f505bd48aed50dcba5f08ed82aeec8d160 |
| SHA512 | 8e9efe5dc8367c6a41b95c2e9e5bd8db6c45941fd25675605d5ee01734e3b3e405a99c88787d124a85a96117adb5478e020ed261ad99272f3ada3089a64b5966 |
memory/4724-18-0x0000000000400000-0x0000000000410000-memory.dmp
memory/680-17-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{B7A9AD0E-226F-45bf-A99B-B566D60C0988}.exe
| MD5 | 2615fdc306c55238010905a51b766d03 |
| SHA1 | 4dd6ca0f42722e559e169a19a340e106dea9c588 |
| SHA256 | 0812596cebc95ca0de598b6e0127f93b653bfdc8609616d3b095182d02db9a98 |
| SHA512 | 77222e6aa02b10428f04617cb27c5878deac924cbce616472d5d77fb3a5fa0617a0ea08fcadee9d295bb3297be38c274ea877334a235356b6c0083bbf8e88323 |
memory/4148-23-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4724-22-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{A83BE808-D192-4483-9695-33F6E94F0F87}.exe
| MD5 | 07cdee17529a783ff82c0fb58a09135e |
| SHA1 | 0478bddedfa094ab42ceee121dd91828f6bb1766 |
| SHA256 | 2628e16ed3e7200bb4597463cb159052a514e6e0fb8242ded2cf0fde30db1cfe |
| SHA512 | b1fa392819124900e09d41184d5a8b9e3b43a8897da0139d6b947b90627be06ac1bfc7348893ffc28e217a70d677575b33482ce2d351e2d3b9cc4ea38d52abbc |
memory/4148-28-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3252-30-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{951453FB-B63D-4998-A49A-5E49F225FE48}.exe
| MD5 | 77ec4768c58408cd141260a66bd85d00 |
| SHA1 | 6b4886c3b6d5b883c465468dfd03d57f68dc2121 |
| SHA256 | bdb54c9170c2726d1bb3c699dacedf8ce80a98b1aa4333bdd5daeaa7e341a5a4 |
| SHA512 | 407e012217bdc444ca480235af52207fc07844ad6514a22843d7a017e946ab4bac54cb1837125f42565c8f576eb5a9ef4f79ce3df2a5645ca3ad5b4e87f70546 |
memory/3252-35-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2740-36-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2740-39-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{02F3078F-BDBE-4e73-AC48-A137A5FBD366}.exe
| MD5 | 70c236c659ffffd63d706fa53aade1bb |
| SHA1 | eb8f48a8b05512af14ab7ad2c2197f9d3c7c213d |
| SHA256 | 512878d140c999157653dca1dc26c9170ddb165651f688b76de4a6252ce7444b |
| SHA512 | b090659108fdd16c7553c44b65a0cea06bb02ffd3b5983e3050d4df88ffe6c18f94c6b6e3d00b419241fbe2734a8f3dfb71106cf67ba4abab7382802bd6af1b6 |
memory/3136-42-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3136-47-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3124-48-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{09A52924-E66E-4862-B0AD-D1071EA6700D}.exe
| MD5 | 6303ff0eaadbc9241970df999d56031d |
| SHA1 | 219f6dc92d565ff2af932285cb97bc3f6303f21e |
| SHA256 | aeb10d1c03a930ef3a0d5a70266b03636ff8982898458a817b12be4315c64340 |
| SHA512 | 89c70ef585705ae350c9400eb947d979f46972261e81ced9a506c9af69dad1d414e0ab38dbec1437fa803f984ae8a117240746cfee7e71f30d4f8acbd5e42034 |
C:\Windows\{98907E83-B3CD-4f8f-803E-64C21A71F366}.exe
| MD5 | 5bb8e48ba5011ab205077e4c1af5d8e7 |
| SHA1 | 7896d55ba7b00427f2e4e7e309f24b35dcd6e791 |
| SHA256 | 9909a4b2dc05031ed8a384b522618863a68711596f77277c19d9cb431321f23d |
| SHA512 | 126f76869560d51b4537d637b5eee4d7795f04ac6850194f9fe11a24750e7b0d6d51790ac9fe9057ab08becc3973d8e32ed69eda5a4b4603be427a45b59ba8ff |
memory/3124-52-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4424-54-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4904-60-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4424-59-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{77B1D440-F6FD-4646-83D1-344602913843}.exe
| MD5 | c3e402bcc40ce32b273f546a1aa3838f |
| SHA1 | 59b7bdbb5d76efbab7d44a44cf84261a017c0775 |
| SHA256 | 3db479571b8e653578411fbcdf7f3c754a577a958b82ba371076afda7800d377 |
| SHA512 | 02bcc11c672ac3c0b5b6651fd9794313e22cb9a3942b4c2602f7a6b689980054fb02d22f3a55429f654f6149055fcdb27df43d7ddc3b315896616b3bf2cb1ed8 |
C:\Windows\{23A40B1C-3C12-4cd5-8727-A28004CA6C39}.exe
| MD5 | 98b07a8e34d2f4bfb8c9e736db6c0c9f |
| SHA1 | 5f0940dbfdc2abd3e0d3bbe3ff6d4ae0803f0f2c |
| SHA256 | 788af22edbe67014496e3628cc539211de35091285166f7d9d267c270d5a3ca9 |
| SHA512 | feb98374f587b60225d0f1ca56c0361bb8752857753c2514ec42c851512ed160804b0c641d6d9ee2a90bde67ebffbb9fc35b23c2b215c6ab9544b63a5c881ec8 |
memory/2900-65-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4904-64-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2900-69-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Windows\{0E8811E4-0583-4fc5-8701-D4FA592B32B0}.exe
| MD5 | b393ae78988bb81b1872586a4ad8bf33 |
| SHA1 | 7664f2325b26e384e53f5e7b4f838369cd4b308a |
| SHA256 | 3c6084f8db89433c257ef5d7d8e70c671bef332f3c5b030408e47e2501b1e8ac |
| SHA512 | c1db42e1bb433baaca40433977f0bc9013c4d4a409a5b5cdad8b8a4a8078218b518a0d55d3f8f9ca6a0f98066fcb153e5a02c1a84ea7625a823479681bf59790 |
memory/3176-71-0x0000000000400000-0x0000000000410000-memory.dmp