Malware Analysis Report

2025-03-15 01:15

Sample ID 240614-cktg1s1fph
Target 9a502ed24e1ff904e90a892a7689bdee.bin
SHA256 96808621c0a521fb44b0abc1bc8e4a7b092b7f85b9fdd0de2d29acb4bf35d9b4
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

96808621c0a521fb44b0abc1bc8e4a7b092b7f85b9fdd0de2d29acb4bf35d9b4

Threat Level: Likely malicious

The file 9a502ed24e1ff904e90a892a7689bdee.bin was found to be: Likely malicious.

Malicious Activity Summary

persistence

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:08

Reported

2024-06-14 02:11

Platform

win7-20240611-en

Max time kernel

144s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63959325-B87A-43de-9CBB-64193580E1E8} C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}\stubpath = "C:\\Windows\\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe" C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}\stubpath = "C:\\Windows\\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe" C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D279CA21-5F90-4d4a-842B-CA30D21490A4} C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D279CA21-5F90-4d4a-842B-CA30D21490A4}\stubpath = "C:\\Windows\\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe" C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1605FA92-A66E-4ea6-A565-2CE8C86306AD} C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A} C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C192C6AB-4559-4637-A246-291815039882} C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE820AE0-AE00-492a-87DB-71C7AD48F103} C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE820AE0-AE00-492a-87DB-71C7AD48F103}\stubpath = "C:\\Windows\\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe" C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}\stubpath = "C:\\Windows\\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe" C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB} C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}\stubpath = "C:\\Windows\\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe" C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A} C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}\stubpath = "C:\\Windows\\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe" C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BEF90B-E49F-4a5b-981F-E3F9721719F3} C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD13441-8BA1-43b6-99E7-E86FEADF5473} C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63959325-B87A-43de-9CBB-64193580E1E8}\stubpath = "C:\\Windows\\{63959325-B87A-43de-9CBB-64193580E1E8}.exe" C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D} C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C192C6AB-4559-4637-A246-291815039882}\stubpath = "C:\\Windows\\{C192C6AB-4559-4637-A246-291815039882}.exe" C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}\stubpath = "C:\\Windows\\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe" C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}\stubpath = "C:\\Windows\\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}.exe" C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe N/A
File created C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe N/A
File created C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe N/A
File created C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe N/A
File created C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe N/A
File created C:\Windows\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}.exe C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe N/A
File created C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
File created C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe N/A
File created C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe N/A
File created C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe N/A
File created C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe
PID 2192 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe
PID 2192 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe
PID 2192 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2772 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe
PID 2104 wrote to memory of 2772 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe
PID 2104 wrote to memory of 2772 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe
PID 2104 wrote to memory of 2772 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe
PID 2104 wrote to memory of 2696 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe
PID 2772 wrote to memory of 2660 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe
PID 2772 wrote to memory of 2720 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2720 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2720 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2720 N/A C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2964 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe
PID 2660 wrote to memory of 2964 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe
PID 2660 wrote to memory of 2964 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe
PID 2660 wrote to memory of 2964 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe
PID 2660 wrote to memory of 2388 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2388 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2388 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2388 N/A C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 852 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe
PID 2964 wrote to memory of 852 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe
PID 2964 wrote to memory of 852 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe
PID 2964 wrote to memory of 852 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe
PID 2964 wrote to memory of 2188 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2188 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2188 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2188 N/A C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1948 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe
PID 852 wrote to memory of 1948 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe
PID 852 wrote to memory of 1948 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe
PID 852 wrote to memory of 1948 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe
PID 852 wrote to memory of 1652 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1652 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1652 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\SysWOW64\cmd.exe
PID 852 wrote to memory of 1652 N/A C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2348 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe
PID 1948 wrote to memory of 2348 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe
PID 1948 wrote to memory of 2348 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe
PID 1948 wrote to memory of 2348 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe
PID 1948 wrote to memory of 2528 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2528 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2528 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\SysWOW64\cmd.exe
PID 1948 wrote to memory of 2528 N/A C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 1668 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe
PID 2348 wrote to memory of 1668 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe
PID 2348 wrote to memory of 1668 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe
PID 2348 wrote to memory of 1668 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe
PID 2348 wrote to memory of 2956 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2956 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2956 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2956 N/A C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe

"C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe"

C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe

C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9A502E~1.EXE > nul

C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe

C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{63959~1.EXE > nul

C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe

C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D279C~1.EXE > nul

C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe

C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1605F~1.EXE > nul

C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe

C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8B480~1.EXE > nul

C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe

C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B09B4~1.EXE > nul

C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe

C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{C192C~1.EXE > nul

C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe

C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9CCF9~1.EXE > nul

C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe

C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{034FC~1.EXE > nul

C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe

C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{95BEF~1.EXE > nul

C:\Windows\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}.exe

C:\Windows\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AE820~1.EXE > nul

Network

N/A

Files

C:\Windows\{63959325-B87A-43de-9CBB-64193580E1E8}.exe

MD5 cbad1d49eed6d039c0a113f57df403bd
SHA1 815f4f67579d218fb76aa342154cf0d10279e462
SHA256 de9332d01beb64bd2e75b7694b8c54418ec5d4c9c80a14c0aea78b7997f982de
SHA512 75a10f1f7bb09ce00f928b6f0f70498e08cb795e5268a7768f9782bc85b4b21792943a50edf8c5b9d89a27cdfedbf8c2ed1f37c16ef521ac13a0b803d361cf31

C:\Windows\{D279CA21-5F90-4d4a-842B-CA30D21490A4}.exe

MD5 a0b787a1d4e72a8bb52f7526b99cdaa4
SHA1 d6ec6d805c90c8489624d7405947a2f9b675d439
SHA256 85c28425652145fae18a362a3f98fef157bff45a057be109a0d1dbacc94c63da
SHA512 7a7b6c43d612a1e06ba82b521c1942ebb016575261630c90a08d2f4f709c382ff8f60059d5ff3cc0d575915c96c16ae6336a753e18da5a1bd653b1069cb61e50

C:\Windows\{1605FA92-A66E-4ea6-A565-2CE8C86306AD}.exe

MD5 63559b609694e530d85df3886e847a31
SHA1 40c875a6a6b23819fbd6a8a3b8391ca0aac101db
SHA256 c04500a542f3aaf88c58855af79be7579b0523801741a85423af0c1180ae0a00
SHA512 7c4cb232909dcb68803038de7c855a00f131920b650104efd31299061e9bdeb6ca50cd34569786a95e0ba0de106458df41fd9e9030265ac4b38f17419ac5643e

C:\Windows\{8B480C1E-8BAD-4ecd-A69B-F1027757F16D}.exe

MD5 453b72ed2a62196fabd4104a61ea6cc3
SHA1 2a38cd98a274bad53ed29c332119923b6b6e06b2
SHA256 6a7b4d0548fdbbf26c14806c3b856a3877f886615bf80d409641c1d6ace2a874
SHA512 33671e8853d96eddea66394d7248720eca8621e74566488eb66b43f7697b0032f8dbe7fa93f4ea7bf13e0ddb62cc3de47f0e1473282ad22f9580201284991860

C:\Windows\{B09B42B9-0355-4b45-A2CC-B955E4F8E18A}.exe

MD5 53fbd0d7fc26ec305ee36ec19da2932e
SHA1 6838c8c5035039777474f75252fd541d6af78427
SHA256 c5bbf8c6fe16661363ee96a6bc699cf365ca75a2da55b817cc330affa85a83af
SHA512 80b4a97f3ebb73052212c9e9dd2fc3747fdf6cdd064e48d4085e610ba2606942770e06499c0be93a9319cff088df673ae413f0f7a25638f0f0d1d8b26ca38e40

C:\Windows\{C192C6AB-4559-4637-A246-291815039882}.exe

MD5 4e2aad245768a41bd790f266a6e92908
SHA1 ba7d55c40a4889e62c64d5b3006e737da5f77dde
SHA256 7593c5e649e02b17125ff4713359626a358106c595cf3aa589a70be8f98ff4ba
SHA512 b73f4410c07ec4f34e207bd4b1ae7e271c95c3b39c51d064635e28ac1cedd8553d6fa29b0c6a0b7f0f8b3a1fefe801a74bbe02966f1839efbc5417ef47affbb7

C:\Windows\{9CCF99FA-6B60-41b6-A7B4-AB336D9277EB}.exe

MD5 a092630bc7b5c2951dc5a4c7ad4e868c
SHA1 26dda231e99d1386ad54cd5ecb52f303320933c2
SHA256 ceb8885f3fcb25ebf04c685c138b6a6f52981b0d1b5209555f238d9c436f07ee
SHA512 50b4164a6447e8452a38212d34c98fcb4e9798a773e53f81569e9f7835c8469461e34b4900938f2e160ea75f76992cff59505bf6adb956662b7ffe7b8ac355f0

C:\Windows\{034FC0F4-6FD9-43aa-9786-C019E1BBC34A}.exe

MD5 5cdd915752290ab8853a25b1fd11d1f1
SHA1 a12c9c784cf82c2256806e487c4f029673cf0789
SHA256 9229f90debfbbcf48ebe5c8cbf2773a15726792c86c2d9f3c8f7e911912c1a4a
SHA512 62ac3bde68416d8b4eab3cf43b5f0f9c363b9f5f86191d7caaa905897e3574e2b8c18714c9857cab6435eac202cd7ec0e39a70f6250ade154659d7717d0ffc6e

C:\Windows\{95BEF90B-E49F-4a5b-981F-E3F9721719F3}.exe

MD5 5bd37ff9c6c293bc1561333f87edf857
SHA1 1e7051ab642ebcb6e0c8bb9ee5e3bdaa696191e8
SHA256 bdca319b47403f1e16e565317ebb6cae5945ec3aeec47b09de790010a2283726
SHA512 a9e923413932a1b4e0b3b23fd494c557ed1170ad43b26c3984e8f4888e36ab92eaa7609c62e24c904b23997cdaf25e73098ac25a05fb7b1b00251663af98f729

C:\Windows\{AE820AE0-AE00-492a-87DB-71C7AD48F103}.exe

MD5 548d2a7a08db87cf3e3dd348c9c09d83
SHA1 9cab4d9739dda571802fc3a236147c06356afcac
SHA256 37ef9e1d48dbe11db71dcc1a2acd89b9a28900eda3984cd588e45ded43e04b64
SHA512 40459afe61c98bfa55497483ef12291a0fdf039d4acd0709aaed9e76cd2d33e1ea3e25a6eccaac6f0a594c08e2ba70a678f14bdbfbc6204cb29193c6dcd1249c

C:\Windows\{7AD13441-8BA1-43b6-99E7-E86FEADF5473}.exe

MD5 51db92187eaefc95124eb1e0ba8ffce7
SHA1 09214631cb6c850f6ec4b6aa01f3e1596eee9707
SHA256 572eb7e578944ee1320f867ca951e81da9602af46a0be503c2bd00c982cf92a1
SHA512 9c19b5ad486030d7b5e166807485d864504273b6a1f6ab871f0162c8799958fe61669ce9e8759931476b1a128a4498d882fbb4be7732a50e9b6f13f5542eb56c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:08

Reported

2024-06-14 02:11

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F6EC41-1003-451e-81A0-0BA0139AE218} C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68A967E6-2805-4093-AA1E-BD4FDBFF3954} C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}\stubpath = "C:\\Windows\\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe" C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A754EDF-5358-44a4-B858-BC91A31FB32B}\stubpath = "C:\\Windows\\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe" C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9} C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}\stubpath = "C:\\Windows\\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe" C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06} C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}\stubpath = "C:\\Windows\\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe" C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B0D148-9D09-4801-A251-747DB7BEB9E8} C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ABC5C47-6808-4591-8B72-EA2049283D98}\stubpath = "C:\\Windows\\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe" C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}\stubpath = "C:\\Windows\\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe" C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DE091D-0324-4d17-A64E-39184684D107}\stubpath = "C:\\Windows\\{22DE091D-0324-4d17-A64E-39184684D107}.exe" C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A} C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444} C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D72F63B-D734-48f1-95F9-C8D54C028CEE} C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{421D600A-F5D0-4199-970E-A10CE822CC89}\stubpath = "C:\\Windows\\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe" C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2ABC5C47-6808-4591-8B72-EA2049283D98} C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}\stubpath = "C:\\Windows\\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}.exe" C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A754EDF-5358-44a4-B858-BC91A31FB32B} C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}\stubpath = "C:\\Windows\\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe" C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22DE091D-0324-4d17-A64E-39184684D107} C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77B0D148-9D09-4801-A251-747DB7BEB9E8}\stubpath = "C:\\Windows\\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe" C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F6EC41-1003-451e-81A0-0BA0139AE218}\stubpath = "C:\\Windows\\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe" C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{421D600A-F5D0-4199-970E-A10CE822CC89} C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe N/A
File created C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe N/A
File created C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe N/A
File created C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe N/A
File created C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe N/A
File created C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe N/A
File created C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe N/A
File created C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe N/A
File created C:\Windows\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}.exe C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe N/A
File created C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
File created C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe N/A
File created C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1484 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe
PID 1484 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe
PID 1484 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe
PID 1484 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 1484 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 4112 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe
PID 1420 wrote to memory of 4112 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe
PID 1420 wrote to memory of 4112 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe
PID 1420 wrote to memory of 1608 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 1608 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 1608 N/A C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 3204 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe
PID 4112 wrote to memory of 3204 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe
PID 4112 wrote to memory of 3204 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe
PID 4112 wrote to memory of 3392 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 3392 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 3392 N/A C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 3120 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe
PID 3204 wrote to memory of 3120 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe
PID 3204 wrote to memory of 3120 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe
PID 3204 wrote to memory of 5048 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 5048 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3204 wrote to memory of 5048 N/A C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 3112 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe
PID 3120 wrote to memory of 3112 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe
PID 3120 wrote to memory of 3112 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe
PID 3120 wrote to memory of 4012 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 4012 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\SysWOW64\cmd.exe
PID 3120 wrote to memory of 4012 N/A C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4564 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe
PID 3112 wrote to memory of 4564 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe
PID 3112 wrote to memory of 4564 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe
PID 3112 wrote to memory of 4684 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4684 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 4684 N/A C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 4148 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe
PID 4564 wrote to memory of 4148 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe
PID 4564 wrote to memory of 4148 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe
PID 4564 wrote to memory of 4720 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 4720 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 4720 N/A C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 5028 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe
PID 4148 wrote to memory of 5028 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe
PID 4148 wrote to memory of 5028 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe
PID 4148 wrote to memory of 3612 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3612 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\SysWOW64\cmd.exe
PID 4148 wrote to memory of 3612 N/A C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4364 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe
PID 5028 wrote to memory of 4364 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe
PID 5028 wrote to memory of 4364 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe
PID 5028 wrote to memory of 4056 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4056 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 5028 wrote to memory of 4056 N/A C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4416 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe
PID 4364 wrote to memory of 4416 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe
PID 4364 wrote to memory of 4416 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe
PID 4364 wrote to memory of 428 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 428 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 428 N/A C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1560 N/A C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe
PID 4416 wrote to memory of 1560 N/A C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe
PID 4416 wrote to memory of 1560 N/A C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe
PID 4416 wrote to memory of 4808 N/A C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe

"C:\Users\Admin\AppData\Local\Temp\9a502ed24e1ff904e90a892a7689bdee.exe"

C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe

C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9A502E~1.EXE > nul

C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe

C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A1B15~1.EXE > nul

C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe

C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{77B0D~1.EXE > nul

C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe

C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3D72F~1.EXE > nul

C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe

C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E4F6E~1.EXE > nul

C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe

C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{421D6~1.EXE > nul

C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe

C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{8A754~1.EXE > nul

C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe

C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2ABC5~1.EXE > nul

C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe

C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CEE50~1.EXE > nul

C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe

C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{68A96~1.EXE > nul

C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe

C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{22DE0~1.EXE > nul

C:\Windows\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}.exe

C:\Windows\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E9053~1.EXE > nul

Network

Files

C:\Windows\{A1B15FE6-7C7C-405a-A68E-BF3B13E12F06}.exe

MD5 393cfdd78cd43de40a306570a2bc5d37
SHA1 3405ad584c2422b93d68e88a2417ea3bb78b3644
SHA256 57491c8209b4543a88211a4fedafb6e6cb7200bde46b0ec1bb6128dc9cd26c8e
SHA512 04a88116be059c28138281884f8e137292a45b0115c4e4fae14843114bfa7c9c6d5425052ac4ceb1f8bf174a3fd9a99bc9ffcbc97e0c22df81244992402f119b

C:\Windows\{77B0D148-9D09-4801-A251-747DB7BEB9E8}.exe

MD5 96273137f6c1b69090bc93a763961e0e
SHA1 9cb1f0338f0aad7b0225aa1249fe69c2f663b76a
SHA256 3ee0659c57c5c94269ad394569bba61a0eb0e341c0458c554347bafa0bdfb6af
SHA512 ba13dcc219507fc7a9b126b141e071d08f46696f97cd1adfd7ed47a35e1a65e5d69dd48083650986626629d73141053bcc193b6395b5507ce593d3c03d32d01b

C:\Windows\{3D72F63B-D734-48f1-95F9-C8D54C028CEE}.exe

MD5 7d5a0da27c50035f76841727c695257f
SHA1 8b03c4a35d98c6509fa65e75dc7ad51b384ab0f3
SHA256 a01b9f653f28159c11498a1e91bc9649ed0c029a997f4af9b79cee4ce1a4419d
SHA512 db93942b43a30b36dbf44e7b46b02a1c04e7a35960dd8c2e613f15401405acf3b0b4e0a9c413ebff2e05aec6c0da09eb47507f4a964c361f7089697602f73472

C:\Windows\{E4F6EC41-1003-451e-81A0-0BA0139AE218}.exe

MD5 96b10e648d605d64de8360b0cc6f7d34
SHA1 e4e4316b38cb7ad31d0a7eef68dc538e0e38fc5a
SHA256 7461541f48ce5a45bb615a8a76c4bfdc06cf08e033d49c123b69cb57d05b494a
SHA512 d9588d764c5d7589c2fc249b39923f16952c01e8702819f457d7e5eab5d9a0e5fe8cc839249d1d4decf25ddc3600efbcdad978bba6941c256140e1be11587135

C:\Windows\{421D600A-F5D0-4199-970E-A10CE822CC89}.exe

MD5 e800a2853aaa5e3da4ec78c713ad8691
SHA1 f96099e03743f2feca63473dd0b071756fc4af47
SHA256 3b7e99701db37db6f4186b57176f6dbc567296306e747595be3b66cabcbcaec0
SHA512 52aa23b00a4e0d311a0fa8caff3257635d38235cdf65e85b3bdb1df2e24b75d49f9b4ce0298a46f23e78e90477fb12bf17fba63c68c2370f9270d962ef83cf1b

C:\Windows\{8A754EDF-5358-44a4-B858-BC91A31FB32B}.exe

MD5 7ba0e605ee6086fe050baed2438f5c23
SHA1 7162c1e4957ef1996db0c065d4fb52d40cd02a05
SHA256 5fd971817f42f5703a25605e2cc81ba139f30261ae3ba3ced9d210ea19346129
SHA512 7c09a23d44b4d5e30a81f945330b02778cad58823993bb23794e929d068021dde2f0f19667161d6b41c3447fc61d32bbf7f88f489513f073a6ceaa5f528930c6

C:\Windows\{2ABC5C47-6808-4591-8B72-EA2049283D98}.exe

MD5 61e2df2219e445e19fc00208e52023e9
SHA1 fff3b004c29045bf0e0a4ad840313a9b11e3abcf
SHA256 1f406bfad709b2c9bb5c6f94bbba359940227c0ff6187529492d431c05f44cf9
SHA512 74185c3b8f4679c75c4750635557e303e74f83bfb6f6b4fadaa5ba1ad64a14e53df65e31cb8440d418d20c26d13ad9b8e1d4187385add811242bd29e347a923b

C:\Windows\{CEE50574-E10F-40fe-8CF8-B57604D8E7F9}.exe

MD5 1176a57306acfc14b119d9d680632a4e
SHA1 507b0a899a329a08420542c1b0ee0b52841b4f0a
SHA256 85d0aa51f681ed7e95f83369047e88f9edb4e90f65c211ac068033c400995e21
SHA512 26a1427f6461d90d17f7b2e301f23a0ce98ce08c112eb34c3e7b118fb9a5bc7bb246794f066428f76b6bd2ecc767e282e04d0aacba564fa01ec884858b76e671

C:\Windows\{68A967E6-2805-4093-AA1E-BD4FDBFF3954}.exe

MD5 e40dc162168b063bf0884e44bbb613f1
SHA1 a7a55ffe3ccd880709a50ba53df1d8532c934b3b
SHA256 f9b4ddb78cc52cd160f9e7545e15a0c81fb08f9b0ecacf5e64ab6527009691d3
SHA512 f46bbb997d909292b8993603028230f47a0184c4a89ff43b59e01da1ccfce91b42229cc968d449279238b6aa73b7e4d987db3c05b71433cc1af9594f91612160

C:\Windows\{22DE091D-0324-4d17-A64E-39184684D107}.exe

MD5 59a5b3f744a9e2256e6d666149fc8d59
SHA1 cc6bc8fd58bef87a93900696be3697526d20749b
SHA256 19cbe12c5870b54962f4ef39c425388f6e9815f823cea07f83fab14ce1b264b7
SHA512 5e1e54e138df6007ecfb4a78054301119bb006ee79032ff0fa0a74c66d29e6a32f1b346a06dd296a71d0951df47e0c10da24ac8f20efd0adda4674c125cc3794

C:\Windows\{E9053395-3A7D-4849-9F47-D2F2EBB4B22A}.exe

MD5 b4268944e0cbf6761a8be57cfef2a296
SHA1 d98b61128aeb8f43a402c762592cd94297806d50
SHA256 2d5232f2d2b1554d2139449e6c150a435b00722f457d60beaaeff519e44d8dd9
SHA512 380ec695c676f444fca691ec3bd47a1984aec1c78b97dbb88fdb78da88595d16527a85e0a06b878a67fa8cbb408511abdf1eea9aa1bec61f45f55b2cd39f5797

C:\Windows\{B308AB7A-8DD3-4636-A3A0-E2B862E1B444}.exe

MD5 efc2a1dc7f9074e15998fca3440ca04c
SHA1 0452bb9a9311e72943450ba2dd20b8dabdc76bee
SHA256 a19de4a83a88126b57d8314af3b4b5e3888fa4bbd16dc8b23be309831789c88e
SHA512 b92e3dcfac0fefb462e7f5ed2387f28a0724f6662ebc81aacaa9b48f3bc93ae0ff96d0357148b8fb16c1e7669849e9ffb16ab2157dbd73b00635a322baf00786