Analysis Overview
SHA256
221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a
Threat Level: Likely malicious
The file 221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Executes dropped EXE
Deletes itself
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 20:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 20:29
Reported
2024-11-09 20:31
Platform
win7-20240708-en
Max time kernel
144s
Max time network
121s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE01639-8037-44d6-9ACF-0FB737D534AE}\stubpath = "C:\\Windows\\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe" | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC013546-185D-4d0f-8DFB-ABCEA8140B96} | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}\stubpath = "C:\\Windows\\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe" | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{806FA20A-28A1-43b8-83C1-8C0630611F10}\stubpath = "C:\\Windows\\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe" | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFE01639-8037-44d6-9ACF-0FB737D534AE} | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41011-39B3-4aab-9587-AEAFD6BF98A3} | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}\stubpath = "C:\\Windows\\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe" | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB} | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}\stubpath = "C:\\Windows\\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe" | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}\stubpath = "C:\\Windows\\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe" | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E727827-C793-4462-8A94-B5E28E075295}\stubpath = "C:\\Windows\\{4E727827-C793-4462-8A94-B5E28E075295}.exe" | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333DA285-29C9-49ba-96FD-1E957715E9C0} | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C74AD7-F4A3-4701-9849-81F792C94B13} | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}\stubpath = "C:\\Windows\\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe" | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}\stubpath = "C:\\Windows\\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe" | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6} | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{806FA20A-28A1-43b8-83C1-8C0630611F10} | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E727827-C793-4462-8A94-B5E28E075295} | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333DA285-29C9-49ba-96FD-1E957715E9C0}\stubpath = "C:\\Windows\\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe" | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81C74AD7-F4A3-4701-9849-81F792C94B13}\stubpath = "C:\\Windows\\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe" | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA} | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF} | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | N/A |
| N/A | N/A | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | N/A |
| N/A | N/A | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | N/A |
| N/A | N/A | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | N/A |
| N/A | N/A | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | N/A |
| N/A | N/A | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | N/A |
| N/A | N/A | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | N/A |
| N/A | N/A | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | N/A |
| N/A | N/A | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | N/A |
| N/A | N/A | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | N/A |
| N/A | N/A | C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | N/A |
| File created | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | N/A |
| File created | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | N/A |
| File created | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | N/A |
| File created | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | N/A |
| File created | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| File created | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | N/A |
| File created | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | N/A |
| File created | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | N/A |
| File created | C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | N/A |
| File created | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe
"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"
C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul
C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD7DF~1.EXE > nul
C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{321BD~1.EXE > nul
C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{806FA~1.EXE > nul
C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FFE01~1.EXE > nul
C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4E727~1.EXE > nul
C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{333DA~1.EXE > nul
C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{81C74~1.EXE > nul
C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe
C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CC013~1.EXE > nul
C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe
C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{14C80~1.EXE > nul
C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe
C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{68F41~1.EXE > nul
Network
Files
C:\Windows\{BD7DF374-A28D-40fa-8B6D-E345CEBB81EF}.exe
| MD5 | ecca7a9d9c9a50c40392ce7bb1190a06 |
| SHA1 | 54b356ca54e79b983ca7c678ec0b61acbc5a246c |
| SHA256 | 9f427b283b75b347f8ed75102160f06141f1eaad66c197f3ee319145b817bfff |
| SHA512 | 9fbff5663ab89059cc1c58c607ddedda78ef31922fe57590680038844566b4124bfc29e90dd5272ade6e33e45935658d84e4ccb8d87c9fdb8b1301aa685794fb |
C:\Windows\{321BDC50-D15A-4e57-8CAC-7FAF9E7C91C6}.exe
| MD5 | 4adb2c4cee2053230f3392c38d69597f |
| SHA1 | 2cfc699b05e2f127cc192093fdc0303ec058325c |
| SHA256 | 7cfea42038a6e93d5c5cfbc9bbeac508406055ec08fae51dc6923939e5f94c56 |
| SHA512 | 7823e0d63d33f227ec3a1ad2d2a69ebce4aea59bd33a1e96be7aecb4695e2f0e41fbcdf2df2411c760aa97eb000f54f553ccc2869572d0d5e13959c1e38147db |
C:\Windows\{806FA20A-28A1-43b8-83C1-8C0630611F10}.exe
| MD5 | f56397d6d5b289c2d5a485244041c274 |
| SHA1 | d53b73ba9a9240a62d1f27a90ee77a62cb1f9678 |
| SHA256 | fd73b7b3b26b41703ff7af792f95b2fa9b240af806accad15b6771f9dd21cd48 |
| SHA512 | 6d6d895bb6406d09d8da805aadfcdd01e689e5c076dc94ddc2b68a1bac362f88553d8c292f8a2ea68485f10d6b7cf89605973ef89407fe677ebdc491726ef117 |
C:\Windows\{FFE01639-8037-44d6-9ACF-0FB737D534AE}.exe
| MD5 | 6f7734a8f8f9bc0d758d6d5dcb4f5b65 |
| SHA1 | 8fb934490984d40fc422f361f0d22ae14470c683 |
| SHA256 | 0956cc9fb2df8f0b80471f9fcdabf15d10477727864bab9a88770f431bd4dfe0 |
| SHA512 | f66b83d465d5fef41a7478af2d87d13d35110c6f4fb6a424b0e95b1633f7095a11b7f04e9cd1887a3e7190b7ea66a203fcd34dd48e9a7059e6bf2072d60aa13a |
C:\Windows\{4E727827-C793-4462-8A94-B5E28E075295}.exe
| MD5 | 684d2213fe3435a7667ecf3d48889d79 |
| SHA1 | 03194886726475bb2e683b4a0bbad43cb800e9c4 |
| SHA256 | 78727e5627f51083d2e32c76a9a00155d9a4382aff51aa30d5fb1756336a28ea |
| SHA512 | 224af68bf9049be1ce2969b8ab7a556877fdf1a38575321b3d0a0624bef4516083b37b3a3e15da4b3e62e5e2d4f942c821beb6dca1bfcb5c47969aac39e9af6b |
C:\Windows\{333DA285-29C9-49ba-96FD-1E957715E9C0}.exe
| MD5 | cc62a883d244153a1dd9cc6dc86837bc |
| SHA1 | ecc28bc0779911f7e543675100639d1f0684ea9c |
| SHA256 | d928164fee36322a7116193d9e65d66c9bb4fb3af265b04ba04acefd6fb7b8ba |
| SHA512 | 6826e6c0d1630b234afd764cffc4bd1455327fb11994de207594881b0866a0fad3fbcffd72edf9a531964c3629ba49251afef8d0c5510b84f67edc43f48c37ee |
C:\Windows\{81C74AD7-F4A3-4701-9849-81F792C94B13}.exe
| MD5 | f5f5827cce390bb883f14eb10dc21d44 |
| SHA1 | 5be68615a08e5f7cdff6bd5cc636ff94d2f919bc |
| SHA256 | b8adc5641110f385c27d671377bde963e046109027305b7812c52567253c99f8 |
| SHA512 | 6bc430005f1e57096a27cb9cd315370c9c162382a7820bb882a1fdf89e6bf4996aff8f093b4cd77dd1ea71a2c24c7402c6132905bbe932590533f38a8b5ef313 |
C:\Windows\{CC013546-185D-4d0f-8DFB-ABCEA8140B96}.exe
| MD5 | 49cba099509e5458c2893a5a00bbdca3 |
| SHA1 | 7c3f973ddbb5ddd7c84a7a00d08f40092473d301 |
| SHA256 | ad86b16a2c156e544a9f2e1219198dffc7dbde2cd6dd3028f84fd37f77142cc4 |
| SHA512 | f76adceb8225d479b25fc1244fce249502e0766b247014b82e7b924093ad3849b413dfc48b8a753b073e0e4ac887a67e109d4b4fcf436ab770e79e5f2e705176 |
C:\Windows\{14C807C4-A2D5-4e10-B4F3-6B1335F4B0EA}.exe
| MD5 | e0f0440074bac29487ae52eb52634b78 |
| SHA1 | b56a43dbdfb1901dc38ba9a8506ad60dbf4e43a2 |
| SHA256 | 28b4964ade4464effa0e1a855b2497630ed3e6bb63d278451e9280aad4a5fe7d |
| SHA512 | c14a41aedef224832e5fec7814d6e0c0a00238be62836ec1e21379e47e15dbdf99334f3e32e72d1316b1f0d6d2d409fa0a1ca2e305b947f8e047c3c60563c195 |
C:\Windows\{68F41011-39B3-4aab-9587-AEAFD6BF98A3}.exe
| MD5 | 90d9e2b0f302fb7a21d68b62682f4c99 |
| SHA1 | 4372e08932a3067a1b4c4335e6ede8b3ec638b92 |
| SHA256 | ddb646aadc3b95adbefd882e839b37da5d67f93142ef69f4de579599bd221838 |
| SHA512 | 66793eee94e25267ab8bc22b33ecf0fec1fe7b26a712242ab79131cf40edd6d8ee035d9cfc15fa0c14d0c81e8a05345963a3cb31f85523503b07622511cef520 |
C:\Windows\{3EA854E4-8FBF-49c3-A70A-3617FD88AEDB}.exe
| MD5 | 02fe8e3e099e0236a313dc2f3d651244 |
| SHA1 | a6338936f2d302923c8f0e3a3328d2664099d078 |
| SHA256 | acec59430595dec6f1d44e055270835ac396107473598b68bec6477ad3e6eb52 |
| SHA512 | b61eb0451f2904fab2d177b28d15a82f5994da48057fbd01939e97eca63fc0638990fa64fbe5e47356989d976a3be97c99cfe05bd469a664bba4f17e1273c97e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 20:29
Reported
2024-11-09 20:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F} | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}\stubpath = "C:\\Windows\\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe" | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06} | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79949B-7A6A-475c-A651-426D690CD70E}\stubpath = "C:\\Windows\\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe" | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4} | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0380B552-6A05-4f10-B8EA-7EEECC384B32}\stubpath = "C:\\Windows\\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe" | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0EE301-9981-4641-8F1B-05C5D08A7146} | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B0EE301-9981-4641-8F1B-05C5D08A7146}\stubpath = "C:\\Windows\\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe" | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28} | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}\stubpath = "C:\\Windows\\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe" | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}\stubpath = "C:\\Windows\\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe" | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3044246-53D8-40b8-A00F-50DBED6B20A8} | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0380B552-6A05-4f10-B8EA-7EEECC384B32} | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F856CE32-CC60-4296-995C-BE5FF262C76D}\stubpath = "C:\\Windows\\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe" | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEAA7FFB-0DBB-4661-9267-664930637360}\stubpath = "C:\\Windows\\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe" | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C} | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}\stubpath = "C:\\Windows\\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe" | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94} | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC79949B-7A6A-475c-A651-426D690CD70E} | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3044246-53D8-40b8-A00F-50DBED6B20A8}\stubpath = "C:\\Windows\\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe" | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F856CE32-CC60-4296-995C-BE5FF262C76D} | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEAA7FFB-0DBB-4661-9267-664930637360} | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}\stubpath = "C:\\Windows\\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe" | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}\stubpath = "C:\\Windows\\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe" | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | N/A |
| N/A | N/A | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | N/A |
| N/A | N/A | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | N/A |
| N/A | N/A | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | N/A |
| N/A | N/A | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | N/A |
| N/A | N/A | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | N/A |
| N/A | N/A | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | N/A |
| N/A | N/A | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | N/A |
| N/A | N/A | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | N/A |
| N/A | N/A | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | N/A |
| N/A | N/A | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | N/A |
| N/A | N/A | C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | N/A |
| File created | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | N/A |
| File created | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | N/A |
| File created | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | N/A |
| File created | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | N/A |
| File created | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | N/A |
| File created | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| File created | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | N/A |
| File created | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | N/A |
| File created | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | N/A |
| File created | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | N/A |
| File created | C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe
"C:\Users\Admin\AppData\Local\Temp\221d6a60fc8d77ae7619db2877f035d0f09e3796f44689c7f100c90cc38e636a.exe"
C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\221D6A~1.EXE > nul
C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AEAA7~1.EXE > nul
C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DF3D6~1.EXE > nul
C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E11DD~1.EXE > nul
C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE3EA~1.EXE > nul
C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7CBBC~1.EXE > nul
C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AC799~1.EXE > nul
C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9862E~1.EXE > nul
C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3044~1.EXE > nul
C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1C88~1.EXE > nul
C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0380B~1.EXE > nul
C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe
C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2B0EE~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Windows\{AEAA7FFB-0DBB-4661-9267-664930637360}.exe
| MD5 | 05ac59ff6861b8c318708d23ec35a3fb |
| SHA1 | b54ef50fe8e5ffda28660fc9709ce3f8ca5a39c4 |
| SHA256 | e48fbd8fc847f50d6f1bc0ca8ff4145ab5bfa66ae60d8bd3f5ae7ac2f697d997 |
| SHA512 | ebe388dd3a223e378c451c36989ee0d93df5ef06275b5c1549daa2f595810f1312cac1747a642b7971a391294abfb346311faa7b32b203ee057b18b557e28fa4 |
C:\Windows\{DF3D6E42-7FF0-4ed3-836D-51066DD89D06}.exe
| MD5 | 10adf0b43ec21e6d2b8d01920bc559c0 |
| SHA1 | ba13708ba2e4e70d60f4e8ca819bd184d4f350a6 |
| SHA256 | ddc8c70c83837d095b24627d61e14480a317a4a31ffdaed586874a19141d6dd7 |
| SHA512 | fb34b4d8d4c43fa277889bdc4bde1f5f0021d4b58006bed682fb7ea20e12e83eb006d1824b96d221a461f0ba56455229851ccd55094054dcca7b09b705efdda9 |
C:\Windows\{E11DDE14-ABB3-429b-BA7C-6F73EE5E3A8C}.exe
| MD5 | 50bf7ee6ac0eeaaf502912f3f5c8fdf1 |
| SHA1 | 46ba283dd15c6d6531b3ca3770486472b728ef2b |
| SHA256 | 293e2d3717e7466355874f9e0c4154302543d0326216163c11902d785fd234cf |
| SHA512 | 7bdd9097612893407e902fb075d5336a4d5b7afe982a723021613dab5961353269212eeb2aa83836a4b99961792a26495e80f64b2f87fd78038b2238c93f2e88 |
C:\Windows\{BE3EADC8-6860-4d46-B877-E9FD5DE4BB94}.exe
| MD5 | 09c33b72e164d76177455d88e503c156 |
| SHA1 | 789f2cf97eb25b962655e2e5a263b7a6d24eae4b |
| SHA256 | 54cb7037f2bcc83acc865d45b170194e853177cf89c34c842ed66bc549532f48 |
| SHA512 | a6f5c9bd59a79d0c67b78088327629aa6772ae025e15255367b294b965796ec41ddebb2f14ca15a3980af69724e0747ed3adc1073defc99ca397184c26fb58ef |
C:\Windows\{7CBBC9BB-7FF3-43c9-8977-616ADA848D28}.exe
| MD5 | c75f9909291fb0e57cc6336420dc416d |
| SHA1 | 35a3a1340fafb58b3988de0d308ed8171e752934 |
| SHA256 | 4b10f42c4af86467ddf0e53b1890a3ab44b31c5d53caae29f84e2bd617bd3abb |
| SHA512 | d9f50cec803f0c3156c523532a137aedea13608b6b99a44ccb8e67b8a2abc4b7ba52b79f2378c7e8b1d5a03e2cf9b3fc9e530afa4b68e42912a0bc680e51bcbd |
C:\Windows\{AC79949B-7A6A-475c-A651-426D690CD70E}.exe
| MD5 | 3bb618823146cf7d16437f28ead95527 |
| SHA1 | 74a52432ece42863146bdbac8ee1a065506291b0 |
| SHA256 | 65ddcbf24e8db9038cfdc37a0c2a61c614492d0e83dbc8935c784f91fdf4d288 |
| SHA512 | cf6f738ef329f6f59980b7d9d3700990e0ffabfe33e40f09380112b0eaa3a48163add3af657a129275a76cac084a30b291369030a4810256c482e74a15b78472 |
C:\Windows\{9862EE19-CD7B-461d-97F7-3178E8DC3DF4}.exe
| MD5 | 70901328e4abf0b2199e690bf34878c2 |
| SHA1 | b2f354a27e934b7210e33ce98dbd38c1a58653ff |
| SHA256 | 8fbe90ff7f68303cef628fda5b52ca40217b64f20e64690a8f09579b94655efc |
| SHA512 | 60d3a6578cfc9497b9d832d87f19855e18deb4a382e061404a7d6cd06cde4cd897e50ec391e1d1ed0f4739d3b58a2a423577a4465c162da156368d1a3bf85c22 |
C:\Windows\{B3044246-53D8-40b8-A00F-50DBED6B20A8}.exe
| MD5 | 2a29295af098067b5d56300cb3ecc5b3 |
| SHA1 | fd686e88f85e21029b9bb38bb226427428b2a9da |
| SHA256 | 6c94526a3f7a0c550c57de2131425c42c52a9d77d83dbfc4bf19f7001bc422e7 |
| SHA512 | 258dc5188019edce06bb03cf0a1479b905eaa1dd6ef959b31b7dd3d409e19d392204b70b75e298c45ef0cf1d9341cd7724ef6da5c4903ac0a382f76d611fa70b |
C:\Windows\{A1C886AF-0A32-4744-A9C9-FEAC9B45823F}.exe
| MD5 | c5506a1fc2d37f41aa86df28910f5981 |
| SHA1 | 8b0504fc770815c9b5b9a2bcbc401db10d078a93 |
| SHA256 | a82b95ff4b4aad8fed08f5af247a246eaee8ae524ec604b2a133adacb3a183fc |
| SHA512 | 116edf39be420bbfe03e233b8ad1e17ab7f6eedaff6c05294465014a60e4af94a58dc423a42b9c0f1b00d540e03ee7b6e25d793b5cb64fc3c945b898b5bb43a7 |
C:\Windows\{0380B552-6A05-4f10-B8EA-7EEECC384B32}.exe
| MD5 | 67e235d0a385e4e4b056267b3792a983 |
| SHA1 | 4ee3f316cfcc4c96d6217f5160b0af4d8132a734 |
| SHA256 | b535f3fe06da3c855211d17ec75587bbe1dfcd8cf6ab27e871178327ba45a004 |
| SHA512 | 16238c153b0b762bc0b32a383a0accd544f753e98029bcfff571280376df087ccd0f63e5336ce56d2f6f9ddd200ab0be95bcecea2a25623bbe9eb0029f909a30 |
C:\Windows\{2B0EE301-9981-4641-8F1B-05C5D08A7146}.exe
| MD5 | 319c3ea26eb77cb2600a3eab7b35986d |
| SHA1 | bf9e8ed702f03090585a7c3f2abcf61f67fb9d7d |
| SHA256 | ada1ad0d602db58ae7e0254f1c11cbeb87a42f8cb1ab1a546bbeccd0cc28b27c |
| SHA512 | a1f378a71aaf1910c01391fe244e90684f7c212362885d5c52440d375c1e8f5cd063223d625213096e418200294e1140ccf99f34a7658eb128176deea29db6e8 |
C:\Windows\{F856CE32-CC60-4296-995C-BE5FF262C76D}.exe
| MD5 | f347439c3f63c73200083a06ce391785 |
| SHA1 | eaab98cda111cd523867a68c5341a1af5df9bbd7 |
| SHA256 | dffe782e19572cc04d9d05842bf07a0e3d3b99c4ac2d41a1473ad90cbf853c59 |
| SHA512 | 70350345c093914f40c74ae6c8c25d4bbf24190b30f02d2b6f127d746eb3e06de5eab7c67a5e76207392e8de85a06053bae0109b65b3f9dfde79dd8de79be72a |