Malware Analysis Report

2025-01-18 15:11

Sample ID 240614-dlaa7swhnq
Target b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e
SHA256 b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e
Tags
persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e

Threat Level: Known bad

The file b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e was found to be: Known bad.

Malicious Activity Summary

persistence

Auto-generated rule

Auto-generated rule

Modifies Installed Components in the registry

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 03:05

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 03:05

Reported

2024-06-14 03:07

Platform

win7-20240508-en

Max time kernel

144s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}\stubpath = "C:\\Windows\\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe" C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539} C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}\stubpath = "C:\\Windows\\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe" C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069B1446-4C8C-4363-88F4-5A31B59F01ED}\stubpath = "C:\\Windows\\{069B1446-4C8C-4363-88F4-5A31B59F01ED}.exe" C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}\stubpath = "C:\\Windows\\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe" C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568} C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}\stubpath = "C:\\Windows\\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe" C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{259A5A8C-18F7-4a82-A003-BE60C889E5A7} C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}\stubpath = "C:\\Windows\\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe" C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A662B479-1715-48a5-B4F6-7DD48E27E719} C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD10995C-36BE-4b86-BAB6-A34F3056218E} C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{069B1446-4C8C-4363-88F4-5A31B59F01ED} C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5} C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}\stubpath = "C:\\Windows\\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe" C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}\stubpath = "C:\\Windows\\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe" C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A} C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A662B479-1715-48a5-B4F6-7DD48E27E719}\stubpath = "C:\\Windows\\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe" C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52} C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0} C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD10995C-36BE-4b86-BAB6-A34F3056218E}\stubpath = "C:\\Windows\\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe" C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6FF509-51A9-4804-831E-6799D3C21FB3} C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A6FF509-51A9-4804-831E-6799D3C21FB3}\stubpath = "C:\\Windows\\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe" C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
File created C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe N/A
File created C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe N/A
File created C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe N/A
File created C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe N/A
File created C:\Windows\{069B1446-4C8C-4363-88F4-5A31B59F01ED}.exe C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe N/A
File created C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe N/A
File created C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe N/A
File created C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe N/A
File created C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe N/A
File created C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe
PID 1676 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe
PID 1676 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe
PID 1676 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe
PID 1676 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2588 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe
PID 2940 wrote to memory of 2588 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe
PID 2940 wrote to memory of 2588 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe
PID 2940 wrote to memory of 2588 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe
PID 2940 wrote to memory of 2216 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2216 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2216 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2216 N/A C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2780 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe
PID 2588 wrote to memory of 2780 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe
PID 2588 wrote to memory of 2780 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe
PID 2588 wrote to memory of 2780 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2608 N/A C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe
PID 2780 wrote to memory of 1504 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe
PID 2780 wrote to memory of 276 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 276 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 276 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 276 N/A C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2620 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe
PID 1504 wrote to memory of 2620 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe
PID 1504 wrote to memory of 2620 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe
PID 1504 wrote to memory of 2620 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe
PID 1504 wrote to memory of 2788 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2788 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2788 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2788 N/A C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2352 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe
PID 2620 wrote to memory of 2352 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe
PID 2620 wrote to memory of 2352 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe
PID 2620 wrote to memory of 2352 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe
PID 2620 wrote to memory of 2244 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2244 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2244 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2244 N/A C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1988 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe
PID 2352 wrote to memory of 1988 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe
PID 2352 wrote to memory of 1988 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe
PID 2352 wrote to memory of 1988 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe
PID 2352 wrote to memory of 1804 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1804 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1804 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1804 N/A C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2332 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe
PID 1988 wrote to memory of 2332 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe
PID 1988 wrote to memory of 2332 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe
PID 1988 wrote to memory of 2332 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe
PID 1988 wrote to memory of 856 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 856 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 856 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 856 N/A C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe

"C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe"

C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe

C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5FB24~1.EXE > nul

C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe

C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25A5C~1.EXE > nul

C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe

C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{76E42~1.EXE > nul

C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe

C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{17D68~1.EXE > nul

C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe

C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E6592~1.EXE > nul

C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe

C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{259A5~1.EXE > nul

C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe

C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{2A6FF~1.EXE > nul

C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe

C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D9F81~1.EXE > nul

C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe

C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DFCE9~1.EXE > nul

C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe

C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A662B~1.EXE > nul

C:\Windows\{069B1446-4C8C-4363-88F4-5A31B59F01ED}.exe

C:\Windows\{069B1446-4C8C-4363-88F4-5A31B59F01ED}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{AD109~1.EXE > nul

Network

N/A

Files

C:\Windows\{25A5C5DE-8C22-492a-ABC4-26CA0B452AF5}.exe

MD5 81aa60fb85bf9de688aeaa8545e30914
SHA1 c09e8f8ecd9a756d68ceeab8101d2e8754dbe75b
SHA256 8deb9c2f15282fa92c916cfb442cff700b999e94707a2b8a7d7fc6c432aae3a4
SHA512 a250680427db0033c91c2bcc1aa89f3a0d252e37645dec9f8100f42eb0983cd2f9b944f32871271e3601e8303ab1cf0b52e699ce08709d38dc68d5f0cf7c3fa9

C:\Windows\{76E42CF1-EB2D-4daf-A24D-8F22DA7E0D52}.exe

MD5 b84b6cf32717e96ba2842192e6189108
SHA1 7a076677933b4a2003061c3e3a30981e06727130
SHA256 066b93af9d24f642ca7da5b68cd6f644780a671ba3806e12dd761c1da9990d11
SHA512 3fbaf8904efef601f8ab3ddefa6128bb3cbedae4782368d6dd9360e5175af5888f1e7eb2ceea17c54a09605dcd20130248e526c7eaad2fd706714d7f82e71028

C:\Windows\{17D68E79-B8F8-42e2-B8D4-BDE715982BC0}.exe

MD5 79de93d8564da5e5937789636247edd9
SHA1 4cb4f41434c6aa51a5a63ea01ff5b655df90abb6
SHA256 e3729da92c6b991c8182b0a600ae69416a3251269d7d201c51a26e4e56e4ed83
SHA512 9aa3e0a60f4acd662a4e716c2debf60a7f0a012bf9cb4630a21118fa9eb9f712e53c842115aa5dec708d6c550e18b65a97460b5a97311a07653e4cdbc334d7ed

C:\Windows\{E6592C5D-E8A8-4514-ACDE-1A1BD9617568}.exe

MD5 1568d7dfc830d29b2df3a87e33258903
SHA1 733a111501575e054ad915160d04bf3362ac9889
SHA256 1b0a5361dffedba7afd1cd0411543ee64a3db2ea05321e66e557b54305476092
SHA512 5dfc808e3e32ad604035cb52fa44f9ee19e006641be65acbf004a5e04eed5617ae08a8f49c4db2a4bc038c2f6e088556e4b81ac05ee61cab354bc6d5024355d0

C:\Windows\{259A5A8C-18F7-4a82-A003-BE60C889E5A7}.exe

MD5 51d3fd92160df22bae75092c04dddb71
SHA1 1cf42c04e4e7511965399abdcfec4096421fee4e
SHA256 806b4a2b63fbb0767eeec72194dceca0c5c4d74474a493b0492bdfa3a3716e37
SHA512 1a3cb419e5b7b4f91ed805f454fbbf5c2ef83fb265a93eb73c55eb508dd25fb835f05ff9c69cade433252a45667749d12d064600aa33694b6928868acca915b5

C:\Windows\{2A6FF509-51A9-4804-831E-6799D3C21FB3}.exe

MD5 5ffe0d87b1914e796a1125c4d9f2dfc1
SHA1 f97c6ea46f4a7521e5869656233e5b9fa130b148
SHA256 a467df1ba49dd57c570df6b9bf7237f098253f580058499bf303b8e5419be59d
SHA512 22f3333f8627e5ea98888b5d083ad566e4205d746cad74f503d6530d98599775ba783d6d9d83c26b3a28ce71f595475a864f6a11360db5f479b77bc75e7af8b8

C:\Windows\{D9F81885-FCC1-4dd8-8BA4-CADAFF680539}.exe

MD5 33dc4e58a87ed3571f700d434ea90c33
SHA1 32450cb1728472ca1450893a13730125bee01a47
SHA256 1fd11fe02dfb7438da8ff17c2056febc727e101a689ff35b9d3e662ebacd92fd
SHA512 ce8c342892b0f4e212c5c67613c30282795dff0f9f582d1075bb2f582bded7d592e5de6d3faab305e645e3c824f84299672bc4dace57463dda847111356d565b

C:\Windows\{DFCE99C5-DBE1-4662-991A-0EC9BDBCFE7A}.exe

MD5 a949b5863d5a10bc526b737b44de0e4c
SHA1 11203a3e0a0e9e11cfdce83bc94dc8275f70d22a
SHA256 6a39f750dd4b25ee1a2154ed36aa9a15a9ea756e52dec949f6c9ca5118647210
SHA512 30d82ef33f5a99beff6fd42543ec5551ab8f7029344f99ff4f617a7e2e6bd85b716b82379db333be49a75a4b2b6ad70975704fce9163c44957b8de30e51dfbab

C:\Windows\{A662B479-1715-48a5-B4F6-7DD48E27E719}.exe

MD5 4634617007d5e152b5acc7b4c78e4b4d
SHA1 efca3e122b78a42645bbe806e15cc8b7c3fbe35d
SHA256 bbebf1695bd91617c41d4cab80dd843ca904bca112dae0bca88fd0cd0ed9c955
SHA512 509a658a7311cfb1b3683f88f5f8b820ac090f116a630ee80f939ff5650542a1c8f3820eff3ec4f0d7a612e7d8482fc29c06f5355ad3502dc1e3bb941f481dcc

C:\Windows\{AD10995C-36BE-4b86-BAB6-A34F3056218E}.exe

MD5 e9b14e1ce4155f2f85c44038a3b3a5e9
SHA1 895389fe3b6d9f61f9bd325c54f515bfad781372
SHA256 20350e615dabc38b5970bc1254d68730a3a12ec05be0f961900243ce3c3c74f8
SHA512 1be150fcc9849091dc036183f7d56e73b9fbc6b97cb76a6307589eb9ccfd2fae5795a1e6b4c110fc4fb3a5ebc3782eab9594562914b2262d4196dee3b25661c0

C:\Windows\{069B1446-4C8C-4363-88F4-5A31B59F01ED}.exe

MD5 fd63cddc6519b8af0a4af7b23aed4f9f
SHA1 515dd37f5ed6410b3d2f36817bdfe892d2c68510
SHA256 cb1069e2018741fcef072710e92e3ad523eeafc5f01d28b9ccd733156adcd3e8
SHA512 fe777eebcdd4f11f0927c09e4fd802e9ae8eea1632237356712b055edde51813922c042186d4038823258d92ac066ee309b01ed5ddcf7353c6d7fa81b42d6d98

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 03:05

Reported

2024-06-14 03:07

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe"

Signatures

Auto-generated rule

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}\stubpath = "C:\\Windows\\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe" C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5} C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}\stubpath = "C:\\Windows\\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe" C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965E84A8-3254-450b-ABE2-8312961EE028}\stubpath = "C:\\Windows\\{965E84A8-3254-450b-ABE2-8312961EE028}.exe" C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}\stubpath = "C:\\Windows\\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe" C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B39BB886-2636-4c63-896E-B0D177C341C2}\stubpath = "C:\\Windows\\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe" C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91D6BD3F-5E4A-49eb-8207-145A57D33510} C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6} C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9987E3F4-E151-4239-B220-F60801F43B42} C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{145CA368-F170-40b7-951C-A9B2C7AF1545} C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B39BB886-2636-4c63-896E-B0D177C341C2} C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{91D6BD3F-5E4A-49eb-8207-145A57D33510}\stubpath = "C:\\Windows\\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe" C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1} C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{145CA368-F170-40b7-951C-A9B2C7AF1545}\stubpath = "C:\\Windows\\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe" C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9987E3F4-E151-4239-B220-F60801F43B42}\stubpath = "C:\\Windows\\{9987E3F4-E151-4239-B220-F60801F43B42}.exe" C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{965E84A8-3254-450b-ABE2-8312961EE028} C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}\stubpath = "C:\\Windows\\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe" C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8} C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DACBA9C0-8638-4719-9553-D67F73A8EDBC} C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF} C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}\stubpath = "C:\\Windows\\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe" C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A14308-816A-4f1a-A517-17AA1F4C6AF2} C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}\stubpath = "C:\\Windows\\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}.exe" C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}\stubpath = "C:\\Windows\\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe" C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe N/A
File created C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe N/A
File created C:\Windows\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}.exe C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe N/A
File created C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
File created C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe N/A
File created C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe N/A
File created C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe N/A
File created C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe N/A
File created C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe N/A
File created C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe N/A
File created C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe N/A
File created C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe
PID 4980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe
PID 4980 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe
PID 4980 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 4972 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe
PID 1676 wrote to memory of 4972 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe
PID 1676 wrote to memory of 4972 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe
PID 1676 wrote to memory of 3504 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3504 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3504 N/A C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 2472 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe
PID 4972 wrote to memory of 2472 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe
PID 4972 wrote to memory of 2472 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe
PID 4972 wrote to memory of 64 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 64 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 4972 wrote to memory of 64 N/A C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4952 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe
PID 2472 wrote to memory of 4952 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe
PID 2472 wrote to memory of 4952 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe
PID 2472 wrote to memory of 4620 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4620 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4620 N/A C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 1068 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe
PID 4952 wrote to memory of 1068 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe
PID 4952 wrote to memory of 1068 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe
PID 4952 wrote to memory of 2480 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2480 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\SysWOW64\cmd.exe
PID 4952 wrote to memory of 2480 N/A C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 3752 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe
PID 1068 wrote to memory of 3752 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe
PID 1068 wrote to memory of 3752 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe
PID 1068 wrote to memory of 2220 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2220 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2220 N/A C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2060 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe
PID 3752 wrote to memory of 2060 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe
PID 3752 wrote to memory of 2060 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe
PID 3752 wrote to memory of 2244 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2244 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 3752 wrote to memory of 2244 N/A C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4428 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe
PID 2060 wrote to memory of 4428 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe
PID 2060 wrote to memory of 4428 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe
PID 2060 wrote to memory of 4472 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4472 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 4472 N/A C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 2896 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe
PID 4428 wrote to memory of 2896 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe
PID 4428 wrote to memory of 2896 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe
PID 4428 wrote to memory of 3904 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 3904 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 3904 N/A C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 3824 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe
PID 2896 wrote to memory of 3824 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe
PID 2896 wrote to memory of 3824 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe
PID 2896 wrote to memory of 1000 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1000 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 1000 N/A C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3824 wrote to memory of 4288 N/A C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe
PID 3824 wrote to memory of 4288 N/A C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe
PID 3824 wrote to memory of 4288 N/A C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe
PID 3824 wrote to memory of 4524 N/A C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe

"C:\Users\Admin\AppData\Local\Temp\b5fb24a70bcacc243d2cb1edd521b5b33f627931b10341b3fa172aa06b29cf1e.exe"

C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe

C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5FB24~1.EXE > nul

C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe

C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CD899~1.EXE > nul

C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe

C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA5A~1.EXE > nul

C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe

C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{404E9~1.EXE > nul

C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe

C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{965E8~1.EXE > nul

C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe

C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DACBA~1.EXE > nul

C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe

C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D2E46~1.EXE > nul

C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe

C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B39BB~1.EXE > nul

C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe

C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{91D6B~1.EXE > nul

C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe

C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6C6A8~1.EXE > nul

C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe

C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{145CA~1.EXE > nul

C:\Windows\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}.exe

C:\Windows\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9987E~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

C:\Windows\{CD8999F9-FD15-4543-A1E1-D3760AC2A9A6}.exe

MD5 3af0ea2cb53bef62a27ca187a7638eb6
SHA1 b56bd5271ca9f171c40d33eff5e3ce6f9e29e458
SHA256 f313776d9b269a51aa3847ae2f8744de73184a1868a0cf4864178c7614ad480b
SHA512 35426d2267bcbcd8d859a6eb14a029a4c8da64d614b91b08d5a9e096743449721c54bc03f498244a15b265b334f1c1c6d8cb074a34683c4b8aeca18cbac192a8

C:\Windows\{3FA5A6AA-FD11-464d-9D66-2578F1AA66D8}.exe

MD5 f1d3ec84dfa3b511873e03a96f409000
SHA1 a67d7ab1ccbaf42e877bc882c931aa7641c89706
SHA256 9a9c46a1ffd09739b644ea695a7ce43f6f9876a1e089888a41da89dc4af0ff89
SHA512 206a38ffb2fbc095cf686f27ceb5f6f4dd890ecab3789d520d427d359621b5a99264504336cd91faa09770ecf0a4ac330503464cd39e14337f44add9b39002fd

C:\Windows\{404E9C52-0403-4a0a-9F1D-9C3EF3890CC5}.exe

MD5 7bb052c1f5bda1bda9b8def12b37e999
SHA1 2a9613f33a9a4f5a0f79e94210b1e2ed55d32c41
SHA256 6577f34d4f23e473b349c3745492a020f1e85eec4a6b65454ccb7d61ef7510a7
SHA512 b868523dab1485efb1ddd61c4a2a31fe0c4397010ad971568e357369ed9841f7e2f55aba190c4f1cda13f3b7b7dd98c133e0a2f87871ec975f605f7bcecbe6ca

C:\Windows\{965E84A8-3254-450b-ABE2-8312961EE028}.exe

MD5 dcb5dc891651b3e2c98d2c896a3061e9
SHA1 c93f2536f4c2c22be64563b27c88b5f125105c6a
SHA256 6aa096d846247c232e03511d0c6b741bec2c373025b7fa226d74e175b89b47f8
SHA512 e178b850f486939dafb8514cedf341834306fc13e345d06c20bb5b911279df232828133468bd66868d7f79a6ca5269ce2ead3dbd41c272c161230cd701a62aed

C:\Windows\{DACBA9C0-8638-4719-9553-D67F73A8EDBC}.exe

MD5 2b8d5d293ad794b16b595913ce4a8317
SHA1 30e3e9480facce0dee0da8198e66202103529751
SHA256 d6c2d50d97bbe32d136e77c8bbe837bcbf274c65be84a01dc0a45b31fdd66371
SHA512 65fb08bb370ce2291e457849c4f89c3583e310e6b379a8a89b0a84f875bb2d3665eb474e169900ec319650398fd165d59cef8d53d5c32398d8c7e2ac89f28c9c

C:\Windows\{D2E46E34-80B9-4c10-9A69-4EB00860C6DF}.exe

MD5 8cd125539a536bdf7f69ace5b7313a58
SHA1 3a0255ed5151bccc3fdbc8679256ed91edfd4bcf
SHA256 ee468e12e37b93fd6fb0a017c8def9399a687db0ef830b99416b38f69c11b3e3
SHA512 60129d4ade0078af17e4692bfe3d07527555e8825a1fa0fd61acdc442eb63de3e42c0b7ed122bef1838125a58dc80259e8ffca59f53e85475716cbed7df73efa

C:\Windows\{B39BB886-2636-4c63-896E-B0D177C341C2}.exe

MD5 bc806940722fc3e138e9f44e964b8d0e
SHA1 37fe6ed957093ec580befb57b56dec965e0175dc
SHA256 06d48afaeb0cd60d23649eb6e81ad706db9d0510000b0ad4ae9e7b46f7d2ee10
SHA512 e92c4b0a89de74b0c4d7c8fdad7b4be1df44db1137a020d3b9a974a67ae9b1625b3f121ff51c634a4dff380b96216f1028956ea01dfebb6a849ca1fe24cd87ac

C:\Windows\{91D6BD3F-5E4A-49eb-8207-145A57D33510}.exe

MD5 866ccab48d73a75c2e4d26191b42cf7c
SHA1 af7e4c7f091c4cf262849a5f2566958f42d0bf6a
SHA256 1c3710bdc10009e844cfd8700fa7a26be336140688e1ccabefe533d91f6e1d98
SHA512 9c9dc98dae9d9380361862acc3c5f41c75f09be1c8a9ee38f7cf2723132e2b10bbd69b1a59d356d321430caa8390851cdc43f137127ca83290673c16264ec33d

C:\Windows\{6C6A87D1-C252-4a96-A345-A7DE8FEB04A1}.exe

MD5 7ce252cfcb14c9008a79183c61353fde
SHA1 1ff30cb84a11c0471c363bc2f514fd38a5bb4801
SHA256 0a86e272b2a3e9198898291b09b7b82a1f224470efe94142e7f401a0798182da
SHA512 d31adb9b2ce309906bec8472c26567598c8c700bc293172144768006cf93d1e302ec2f8219a5ead034a84515f7a7203e91543acdaad749a0d4026648a2f1bf3e

C:\Windows\{145CA368-F170-40b7-951C-A9B2C7AF1545}.exe

MD5 d1625cc781eae0dac288d5a256f4604c
SHA1 e00b9e99c96b797236867fcdab32ee2bef2c5fec
SHA256 0b7634c419f90c45edce08d4418d5b3c02405c5715c40b8874add6b83fe73168
SHA512 9ec88d9f965cc467b91e16519647b9fc4cf0f6e79ef991aeab11015411009ae29ab0090ae6e2ad00228e589a5f9822f8141c01bcc34535f85e472ca0023fc20f

C:\Windows\{9987E3F4-E151-4239-B220-F60801F43B42}.exe

MD5 99caad91a789f1ac5ff476f43676cf90
SHA1 0312505f8bc204776483262d49180dd76aecf534
SHA256 550677503a0f4246786967fc2ba31239f5dd359e64874e95642e9567df1cc2d1
SHA512 2ba6a4512914008425ee479056606eb33e9ca92baf6d4742e1e4c4cf875c85747ab81189ce1a3207de6b284262ec320116c0829b10927f3434baf9092da36ec2

C:\Windows\{41A14308-816A-4f1a-A517-17AA1F4C6AF2}.exe

MD5 84d3817765a6f83a6bd6bfa2809ff670
SHA1 a27c9de7ac3a307bedde9002b0b6cc6d0364fd3f
SHA256 4daf7d81882bbbb89ecf7fe62a08d5065d64fcaed51cf66ce5b298bc335bee13
SHA512 711a867d472e55f2e87f8192f111b6ea9bd15b54e0a178da64af7f5e4edc617c67744960df0c0e02d989167fc4311ab4c99fca53df14a2adbff246517673fbd8