Malware Analysis Report

2025-05-06 00:50

Sample ID 241109-zdt7asvjhk
Target 949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N
SHA256 949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1

Threat Level: Likely malicious

The file 949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:36

Reported

2024-11-09 20:38

Platform

win7-20241010-en

Max time kernel

119s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}\stubpath = "C:\\Windows\\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe" C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0} C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC} C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23} C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9C7872-2449-4800-9284-0667AC43C53B} C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D9C7872-2449-4800-9284-0667AC43C53B}\stubpath = "C:\\Windows\\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe" C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EEA436D-1C37-4784-BE3D-1E7D850AA803} C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FACB863-7938-4578-A207-40D577BBFA0B} C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE} C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}\stubpath = "C:\\Windows\\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe" C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}\stubpath = "C:\\Windows\\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe" C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}\stubpath = "C:\\Windows\\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe" C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}\stubpath = "C:\\Windows\\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe" C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}\stubpath = "C:\\Windows\\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe" C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FACB863-7938-4578-A207-40D577BBFA0B}\stubpath = "C:\\Windows\\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe" C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984} C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}\stubpath = "C:\\Windows\\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe" C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6} C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe N/A
File created C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe N/A
File created C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe N/A
File created C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe N/A
File created C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe N/A
File created C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
File created C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe N/A
File created C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe N/A
File created C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2568 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
PID 2568 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
PID 2568 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
PID 2568 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe
PID 2568 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 1192 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
PID 1320 wrote to memory of 1192 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
PID 1320 wrote to memory of 1192 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
PID 1320 wrote to memory of 1192 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe
PID 1320 wrote to memory of 2188 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2188 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2188 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2188 N/A C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 2940 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
PID 1192 wrote to memory of 2940 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
PID 1192 wrote to memory of 2940 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
PID 1192 wrote to memory of 2940 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe
PID 1192 wrote to memory of 2076 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 2076 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 2076 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 2076 N/A C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2680 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
PID 2940 wrote to memory of 2680 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
PID 2940 wrote to memory of 2680 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
PID 2940 wrote to memory of 2680 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 1664 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
PID 2680 wrote to memory of 1664 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
PID 2680 wrote to memory of 1664 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
PID 2680 wrote to memory of 1664 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe
PID 2680 wrote to memory of 2724 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2724 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2724 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2724 N/A C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1984 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
PID 1664 wrote to memory of 1984 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
PID 1664 wrote to memory of 1984 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
PID 1664 wrote to memory of 1984 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe
PID 1664 wrote to memory of 1072 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1072 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1072 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 1072 N/A C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2312 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
PID 1984 wrote to memory of 2312 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
PID 1984 wrote to memory of 2312 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
PID 1984 wrote to memory of 2312 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe
PID 1984 wrote to memory of 1008 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1008 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1008 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1008 N/A C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1704 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
PID 2312 wrote to memory of 1704 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
PID 2312 wrote to memory of 1704 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
PID 2312 wrote to memory of 1704 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe
PID 2312 wrote to memory of 1656 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1656 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1656 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1656 N/A C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe

"C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"

C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe

C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\949C0C~1.EXE > nul

C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe

C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1FACB~1.EXE > nul

C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe

C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DA3A6~1.EXE > nul

C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe

C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EBD0B~1.EXE > nul

C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe

C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{10CB7~1.EXE > nul

C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe

C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{21AF8~1.EXE > nul

C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe

C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9C7~1.EXE > nul

C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe

C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2B9C~1.EXE > nul

C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe

C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9EEA4~1.EXE > nul

Network

N/A

Files

C:\Windows\{1FACB863-7938-4578-A207-40D577BBFA0B}.exe

MD5 7d167ca937c83399e9f24227df842575
SHA1 0cfc6f33ca8f66fa150a5ad6621d8fde12849401
SHA256 a73bae9187db8225ff9e7a18a4c59931337e25ef19d6a7693b3fd52c03a9ac74
SHA512 b3d2744e3a8541f3d96e2c8a958db2c5e546c20f460092340b81b08397cc196d35172ce2a3a2f52c2ff0e355c9829117703c6f8c81f42a20d4ac3c1874433a0d

C:\Windows\{DA3A636B-20A8-4eb1-907D-99B1CDD00FAE}.exe

MD5 b5fd07dc68f84219ccec7849720a3c45
SHA1 8df5ad377f66a674fa8718f2c130fc9506c8e886
SHA256 24fe6d92484658adb07c435f7934f7d7e1dfe44f135fd0fc2917920870413ba0
SHA512 19f93013ba56d6d14df23c660d54e1f378b09146addd7d44d0b2117a9a0c787dbcff1f43a24270f09069d909e4044bc51daf8c91a331b8cf6409c7271477eaed

C:\Windows\{EBD0B0B1-1B35-460e-A7B2-6CCC71341984}.exe

MD5 25ff870c03f10fa00cbcfd0cae85b34e
SHA1 f5d408dacc708b0bf93fc1e66fa96082c758dd8b
SHA256 32a25b86ed8983da1484787893ea3fcd95b2996de48fdbb92d9b68acc5c151cb
SHA512 3d5ff02f69b2cc58c3dc42066ae715619510773a4fa2ec10c47720600aebaebc739be171bbd25723a9418dde3639092bda95aec533ec4c3d4e07909e67eae2c5

C:\Windows\{10CB7C3E-8338-4302-A5D1-E78D8261F5AC}.exe

MD5 5f09ff398ad308209f808fc3088185f9
SHA1 18ae5c3144524e96131bb2b28fe228c1bbf9c861
SHA256 386319227847c8a4fb83e4c0984ba24c25e517bdba6eead6ee6b2b69ba765115
SHA512 8158651bdbc8b5464a893f8205c03ced20ab8fd19b363d5ba6e682e37732d2bf86d8fcd769e97c49b17fe503347bb28d2946ce9e2dbb2c1764967c1c820830ce

C:\Windows\{21AF8DEC-5426-45d1-B4CD-8A1E1502AA23}.exe

MD5 24e732ab254fc3634d1a695fc9cf11ab
SHA1 776bd040448147d6ae89119c8717edad109411ec
SHA256 e653f43139313e3f3ea7f4dcef4c63806de7240442daea83de8e1e2109ad6494
SHA512 ecc63b1dbb43c68781c421622660de9d3b1b7b4b04b5b0113623bf58ede5c772e5aaff57686005ed0ba6229c196a97b7a5126544f721e3e3ec22d4b096523931

C:\Windows\{7D9C7872-2449-4800-9284-0667AC43C53B}.exe

MD5 12e1a9723c415c7c111be638b4e6a3d6
SHA1 8863bcc4f9de0584d54d1e68455c1489df3562f8
SHA256 e8466d3d2f1ea260846f2bfe0a2f2f8958aa0d44e3972bd5765c01051ae711b1
SHA512 df27cab1a1527948e63c727a6aced7fed0716aa32621ec8e3907f8b29cdeaf7e65f88c3674867016164b312cc55f453942db5918b2571590825e221fa3200a02

C:\Windows\{B2B9CF2B-82D3-4a35-97FA-2EF91AA082C6}.exe

MD5 d59d5eb22c4f5b400da03f17fc80e527
SHA1 32f55855cf56ee69c26188994d06c083d2ee39fa
SHA256 699c3263487a106f9fe20cff83cec8db782639a59b787fc220c54d8724b39a52
SHA512 5b23136257d406c53e0af71f4fba08a9dd5a5a438f857f9e14e5b996a8a5c9a6ac2b8fa6d1d162484d818067f24daa3839b5b767bd7bd1f06b157fc0ee57495a

C:\Windows\{9EEA436D-1C37-4784-BE3D-1E7D850AA803}.exe

MD5 971947b5d89e3dd32e0c5ed60560108f
SHA1 91186c7d8e3faf69d8e978c9fb4a7c6bdda5f458
SHA256 4f6ec7ed3a0133d43699c59a226aba8c1e170437835d59bc7a5b38c80afa4714
SHA512 6cc2e558983a00045b3550ed6c81db5542198b5038881eeb395ca491497d07dd31a9265335463af540a57037f39d3eaab0af780893ef77a1a4a076a8c28fd4fb

C:\Windows\{5729B4C6-2FC8-48dd-9BF5-0D7477CD5FA0}.exe

MD5 de46c2c11a2c92eaf9ed8ca84afdfc1c
SHA1 3d7d753e71ef62d639ef215743939770978097f1
SHA256 266b544f327c1e2714e996c214799d5350b07e3aa376f0ec12cab04c4c19d072
SHA512 611e27d3cc61de5c900476714535932e6f1a61f6920013e36d8498abc74e1749a4ff5c87723dc6676c2b4d491cfd80e17faa5ec138dc3ad30a82d1b09d8c70f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 20:36

Reported

2024-11-09 20:38

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461} C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}\stubpath = "C:\\Windows\\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe" C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E100349-3C1F-4193-B8AE-C0D22140D495} C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E100349-3C1F-4193-B8AE-C0D22140D495}\stubpath = "C:\\Windows\\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe" C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA} C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1} C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39F04CD-D3E1-4081-881E-229D7855B7C4}\stubpath = "C:\\Windows\\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe" C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FF102C-F33C-4164-A5E9-E15F011D4733} C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}\stubpath = "C:\\Windows\\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe" C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28FF102C-F33C-4164-A5E9-E15F011D4733}\stubpath = "C:\\Windows\\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe" C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD84207-0E2B-4fd3-9DD8-5E644223B967} C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}\stubpath = "C:\\Windows\\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe" C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0C7982-EC53-4298-A8F8-938D6449DE31}\stubpath = "C:\\Windows\\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe" C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A} C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}\stubpath = "C:\\Windows\\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe" C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}\stubpath = "C:\\Windows\\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe" C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39F04CD-D3E1-4081-881E-229D7855B7C4} C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC0C7982-EC53-4298-A8F8-938D6449DE31} C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe N/A
File created C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe N/A
File created C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
File created C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe N/A
File created C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe N/A
File created C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe N/A
File created C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe N/A
File created C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe N/A
File created C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe
PID 2096 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe
PID 2096 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe
PID 2096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 2084 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe
PID 4748 wrote to memory of 2084 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe
PID 4748 wrote to memory of 2084 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe
PID 4748 wrote to memory of 3484 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3484 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3484 N/A C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1608 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe
PID 2084 wrote to memory of 1608 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe
PID 2084 wrote to memory of 1608 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe
PID 2084 wrote to memory of 1512 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1512 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1512 N/A C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 1316 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe
PID 1608 wrote to memory of 1316 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe
PID 1608 wrote to memory of 1316 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe
PID 1608 wrote to memory of 4812 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4812 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\SysWOW64\cmd.exe
PID 1608 wrote to memory of 4812 N/A C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3600 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe
PID 1316 wrote to memory of 3600 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe
PID 1316 wrote to memory of 3600 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe
PID 1316 wrote to memory of 740 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 740 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 740 N/A C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4476 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe
PID 3600 wrote to memory of 4476 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe
PID 3600 wrote to memory of 4476 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe
PID 3600 wrote to memory of 4884 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4884 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 3600 wrote to memory of 4884 N/A C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4824 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe
PID 4476 wrote to memory of 4824 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe
PID 4476 wrote to memory of 4824 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe
PID 4476 wrote to memory of 4772 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4772 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4772 N/A C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe
PID 4824 wrote to memory of 2352 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe
PID 4824 wrote to memory of 2628 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2628 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 2628 N/A C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 1204 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe
PID 2352 wrote to memory of 1204 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe
PID 2352 wrote to memory of 1204 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe
PID 2352 wrote to memory of 2224 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2224 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2224 N/A C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe

"C:\Users\Admin\AppData\Local\Temp\949c0c15bdec194fd79d3e52cfccba7d89dec8951597b762b41e7597faf195b1N.exe"

C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe

C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\949C0C~1.EXE > nul

C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe

C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B94AF~1.EXE > nul

C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe

C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{EFD8A~1.EXE > nul

C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe

C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{28FF1~1.EXE > nul

C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe

C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{FC0C7~1.EXE > nul

C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe

C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B2120~1.EXE > nul

C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe

C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0FC~1.EXE > nul

C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe

C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6E100~1.EXE > nul

C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe

C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD84~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Windows\{B94AF03E-3CEA-48ba-8D69-9071EF2DCBAA}.exe

MD5 fe10013d4198e03f219656f1ca05060e
SHA1 db7f0444388a5e9ab8802c4571208b3fcc884533
SHA256 5c12700260c798fb43a5837766dc5fca369ab89d367c64cdef66f51e69990e4a
SHA512 5ace0b5b5fbeaded844d7f62ccaf3211f7390451a6401e2c2ed1f623b7d8a585ad750b053112e0231f51f0fe1bb65ef45131f8dec360ad5c57c18ba20d7c9f1a

C:\Windows\{EFD8A4BF-8AF5-44a6-95E4-993E8BC29461}.exe

MD5 5293a1b3b4e88a955c2215b0e3d9268a
SHA1 37c4fc012ff8d84bd535aea2dcf6b0178d3534c3
SHA256 566326b4f311ac037b3696f6529aa48accaa0dbfd4e50bd6bd6389af05a99d85
SHA512 fffce508961aec0b125260ad7348c8e828695751c93537a2e0116c9ff7e9dcb8bb62d561776f8c8496e74c2441c105064cdd8c63960f8ff8d94e0dd65fdb4b6d

C:\Windows\{28FF102C-F33C-4164-A5E9-E15F011D4733}.exe

MD5 0bb411d3e5241dbca8f7b297eeca16a3
SHA1 a52c2b4d22c1558176d793d9e56e6a3f0c28898c
SHA256 be5050700820d093a0de33bbc75c5c541e7c80d5f4a03715666a306c060eb3e5
SHA512 e738aeac9dbf205d26cb0b4ab7713516ad8e2a09c13ee24700548dccf133c87e8dae6c7030985242c9d4cc0d91b3362871e16f8ab424d9bab8593fac58a1c115

C:\Windows\{FC0C7982-EC53-4298-A8F8-938D6449DE31}.exe

MD5 2ea1999d16dba4c1acbc007ac726d1eb
SHA1 df4beb8af8974610dfce6ad69f1c4195332bda5f
SHA256 0a41b28d089bf9ae1036cb33cd48e815d584fbd457c9278b1c838639d73269fb
SHA512 9a6b8f6e0b43a3a3da6b4e0aee027e5c32e7eefe2d44c464fde33bbfa3dd925db50fee228bd7a43e9e2196a36cb5a4ed414c6e37ad19d29a1594fe1ff022320f

C:\Windows\{B2120055-8AAE-412e-A3A5-A8EDBEF014E1}.exe

MD5 b714c4ce3a163b18b19b647c50fcb12e
SHA1 7dae29dd7e5a95864a0903772ce79920e6c79ed6
SHA256 b898399cd1a54f1fad4c5327fff4d0801204fa4c6f6135860e9b3a354b3d24e7
SHA512 3b01ebddb544b3dd1575fb88332993535f060b37a3bfc663b68cf712c405ae30202cd43e2a522935bb034119ab5488857bb87b323a0ebe9754bb0f5262370741

C:\Windows\{4F0FC7F7-FF52-4235-8F25-5DD5B2F8AC8A}.exe

MD5 9477b09b62eb9d1b6a5353e82eafc7fd
SHA1 dca510b70731a3f6a1ade2bc2bb076fa15dfcbfb
SHA256 a4026704f4cf12b63a9970cc34cf335a35f33df9f49d278f7db3c8d12acddfa2
SHA512 908bf4accff99c3b67d641409be3e2b5bbbd1aad55678bc123ecbc5f9765d654bbaeee19edfbbce98ce8ccb54a917b451c9c117a339931d0e61cbf447b647450

C:\Windows\{6E100349-3C1F-4193-B8AE-C0D22140D495}.exe

MD5 1e6cbc85f9bd2d1335142b913c58c465
SHA1 23f6b6e073cd196a7abd674ade196d256e1eb524
SHA256 90bdc1ecea2636d25391894026b23dc44727c9c9aa830ade7a846fc96ead5b31
SHA512 37972329c0966e1222096de3521f7a274decb3c4b62f25e5692e24dae2b65dc8537cb35490ca839666475a196f8f90202262a65cbef10f1ecca26043e4195ac6

C:\Windows\{9DD84207-0E2B-4fd3-9DD8-5E644223B967}.exe

MD5 952dd487f01bda3df769ae7d5ffd4792
SHA1 ff2739aa23c6ddc5e38b15aab2f1d2fa3a42e373
SHA256 8841b4270f5abba709637d89ec9136316668ed371165919f4573ff03f269e537
SHA512 74cf66ef3501065f57bcb650de0e827e150de4832d241d0af19c0c4ec9fc6bebec7c6f8d3796c2bf9bf6de55b1045a039e872bc84d43f7cf28d86e00c71b0b71

C:\Windows\{C39F04CD-D3E1-4081-881E-229D7855B7C4}.exe

MD5 2ca8579146685025bfed6d917ecc06ab
SHA1 cb914cdca1bdd91df3636ed9338a8016f311eb7d
SHA256 5d4de2945c9d3779161df622d0b62cac93ec3b125aa1cf7934d12c4482b1d9b2
SHA512 7901d7b20265887cd1a772090b473717da408187f92b72ff552780f2cc9d65bc0b35fcf5900db73e17811bb1c954cb2f422faf9d1c0c50e87dc8998cf0cde94d