Analysis Overview
SHA256
c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919
Threat Level: Likely malicious
The file c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 12:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 12:46
Reported
2024-11-11 12:48
Platform
win7-20241010-en
Max time kernel
119s
Max time network
118s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC} | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}\stubpath = "C:\\Windows\\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe" | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A} | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A}\stubpath = "C:\\Windows\\{700B662E-1091-4508-B4B3-61082259EC1A}.exe" | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179} | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A}\stubpath = "C:\\Windows\\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe" | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}\stubpath = "C:\\Windows\\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe" | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A} | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2}\stubpath = "C:\\Windows\\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe" | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B} | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}\stubpath = "C:\\Windows\\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe" | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F} | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179}\stubpath = "C:\\Windows\\{DBDF962B-8049-4667-A893-F02469AFC179}.exe" | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}\stubpath = "C:\\Windows\\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe" | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2} | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6} | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}\stubpath = "C:\\Windows\\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe" | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B} | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| N/A | N/A | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| N/A | N/A | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| N/A | N/A | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
| N/A | N/A | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| N/A | N/A | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| N/A | N/A | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
| N/A | N/A | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
| N/A | N/A | C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| File created | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| File created | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
| File created | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| File created | C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
| File created | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| File created | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| File created | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| File created | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"
C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul
C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0AA~1.EXE > nul
C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E081B~1.EXE > nul
C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BF781~1.EXE > nul
C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{149E1~1.EXE > nul
C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E3799~1.EXE > nul
C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{23A1D~1.EXE > nul
C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{700B6~1.EXE > nul
C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe
C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDF9~1.EXE > nul
Network
Files
C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
| MD5 | ea7f26a16a89bed39f55133417fe25c8 |
| SHA1 | 4e3dcc2bdc5a15029caf2f4710911a6d62c3a142 |
| SHA256 | 8ffe4850eb35c6d68e91f5ecc3f9848157e31f5f9b073717c1640db502ade522 |
| SHA512 | b041b04b79889107c4d83c6d895e7f48423d0742c8ef4e2061af006005d628e85fe7d3f6a6383b0d23002523515601a1f69f7bf1bc8a95cacef4a63420f5648e |
C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
| MD5 | 9594c9e4c71192bc927ed414c3c44ba1 |
| SHA1 | d3b4b5742d9e01e9b9631b33c6a5c37b8fdf2573 |
| SHA256 | 6d47d9ace0ba678be82b71667ecc98de2d1965cce672cf72dc34ec980c20c1e9 |
| SHA512 | 0c39f1a86d44dd4c8e373231e74a80c4fb383f929959df26c603798bedeea0eae9bc29ae647218b4fd7e200709bba562011d0c3b7a74d789cc3e9886a14c7996 |
C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
| MD5 | 8dcef8c69edd68c19e459ab0e324d2b7 |
| SHA1 | 423007b8c2cd1258495aa425b4db7e2619857d91 |
| SHA256 | 9e84ee157a742fe6ca0f21e8286800cdd87e4d586407a96d086cef2b0283493c |
| SHA512 | 42105c4d6672917921c0ec087300f53f95bbe11f29ed2768b14316569ba7203fc90eb503b828b7d9edb5e4ea0eaa187b98f0f4d85cddead9b5b19bc4a43e2b95 |
C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
| MD5 | f34a2b3cac20beb378c84e219ccbe62f |
| SHA1 | e6beebbb8820db153c8b858054220e804d6485aa |
| SHA256 | 5768092a01eeaeb9e415afc6bbb1a64895298ee0bfa14ca0d777f6f0f38b91f3 |
| SHA512 | 2cee75964509e720bd5c32581ed9481075086be702e5ff5b6ed8f5d6e3399cb8e51b80659594e4d85bae583577ba24e3e7bad2d7b694ed46a071c5f4e56070fa |
C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
| MD5 | bb2b7d0f2c8cde70d2465d84bfa3ae2c |
| SHA1 | 35bf71bbf4cf4c91d34c9e758806391a89238761 |
| SHA256 | 1cfbbaac1e8e84e17f4449c0a2341fc44ecf3005e63d7b4fcd77b9cf2ba4a642 |
| SHA512 | e6fa44193f05281281581edffe344f07e26176098b2230ca4c9c520c91bb193b8bb6dbf6280b19edca8326d67cc07c49932af61fda4c42e2902486cf6a5d04d2 |
C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
| MD5 | 9439ee010d269158817094e843241f88 |
| SHA1 | 90cf7e4c53bd54a33b7071b56eefbd18acf4b1b8 |
| SHA256 | d84377a7aad749daa58382fdc4139ecd1487545e6bbf9f3c8874330c1c7caf98 |
| SHA512 | 2f17253f8bc491c98bbf4889eee28eb05e0cfe5065bca069b3ce07d65c266e010e27106e5ee0ca76b1f22acb76c1eb9836de4ee3515c7ef1159554b2b09871de |
C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
| MD5 | 9273d6b8925dd53864277a9cb87a3afb |
| SHA1 | cfa703d903d996447d5fe99e19a3a228847f98ff |
| SHA256 | ed9a77585e2dff90f37d9294389d251dd930e5f78227ee40800832c88f0c266a |
| SHA512 | 930643b46acfde7c5b33f409b05a7719a2a2fa85b65780b503c9c011a250b265f278c16cef0939ea3c9dbc48be1c8bb31e5658a8468d953fef75743f821e65c6 |
C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
| MD5 | fb4c3fb272af4399167b0542b15aea00 |
| SHA1 | cf606fd06530299e3037b15b6ef15496276f7790 |
| SHA256 | b591959f1b64818c76ac819b1dda0817e7b773cc6885fe34f090e9ddff56d0a7 |
| SHA512 | fc667fc5fe8664cff812b969c5bbc4649601ae8afab789946d8d3cb4120fdac18422da04e8f72a7707238e3b52ec4b7999c4d3071795109666bb8b3b9f0f507b |
C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe
| MD5 | eb312c3f9a6679438261de4bee7dc5c5 |
| SHA1 | 69f3a4ae62444fb8fb7297069a980479b44c795a |
| SHA256 | f3d074be2414c307741890cfa6310b2a8ac0b5402af5f26d0132c5529422dbe5 |
| SHA512 | 17acaa6613084c056615497fea67f32f055e3d1a298e5ddb3b2966a5603ad40f6023e66a99a34ae35a52fa0f46456936274885016014c7e401aa97fd8adfc8c3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 12:46
Reported
2024-11-11 12:48
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
99s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}\stubpath = "C:\\Windows\\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe" | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91} | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DD3A37-11E3-4256-AEA3-B213900402C8} | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}\stubpath = "C:\\Windows\\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe" | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A57611-0E4B-44e1-BD85-E56416BFE287} | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324B0987-5959-4702-950E-C16AA867807D} | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324B0987-5959-4702-950E-C16AA867807D}\stubpath = "C:\\Windows\\{324B0987-5959-4702-950E-C16AA867807D}.exe" | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48D87576-1B71-42a3-92AD-A08A82E6AAE8} | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD80C96-ECCD-482a-9E88-26C491E92824}\stubpath = "C:\\Windows\\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe" | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D839E3-A004-40bb-ADD5-FED1B7906FFE} | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}\stubpath = "C:\\Windows\\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe" | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB} | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A57611-0E4B-44e1-BD85-E56416BFE287}\stubpath = "C:\\Windows\\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe" | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DD3A37-11E3-4256-AEA3-B213900402C8}\stubpath = "C:\\Windows\\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe" | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}\stubpath = "C:\\Windows\\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe" | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}\stubpath = "C:\\Windows\\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe" | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD80C96-ECCD-482a-9E88-26C491E92824} | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8} | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
| N/A | N/A | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| N/A | N/A | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| N/A | N/A | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| N/A | N/A | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| N/A | N/A | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| N/A | N/A | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
| N/A | N/A | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
| N/A | N/A | C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| File created | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| File created | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| File created | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| File created | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| File created | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
| File created | C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
| File created | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| File created | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe
"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"
C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul
C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{324B0~1.EXE > nul
C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{48D87~1.EXE > nul
C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1D277~1.EXE > nul
C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{33DD3~1.EXE > nul
C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{865B8~1.EXE > nul
C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A57~1.EXE > nul
C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD80~1.EXE > nul
C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F93~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
| MD5 | 67a38068697c4b73b41487d5b5cfc039 |
| SHA1 | 4220a4c17c6513904ef295626d4b2f12231092ba |
| SHA256 | e2da00b5b6a2202aabd925c2e8a17dc54d5c5a5ce94c9699cdfd1a15aca32e4f |
| SHA512 | 0dd20d9c90e6439cdb2f289d083eea443372ccabdca05c679427256664654cdfab3f0845a27478fadfd440b73ad40c13e45226500684a917d5df6db05edf5d0e |
C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
| MD5 | d25b1dc1c20ef599974c3b1b00ba0943 |
| SHA1 | 226cdc015c718145d7283a73825e8a7263c44d33 |
| SHA256 | 5a0cad8af25528a5f57e641023f65ba51321cf9e42489427f7adbb18a8b0dce5 |
| SHA512 | 8318cc37fdb5f88efc988814f93ce80157f69f5b50ef7023fdcffcd197dc9e5721be1421e73defc2ae934d532e0e4e4fd6cf39e44bc3e2f15958602dbb78dcec |
C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
| MD5 | a29c367a41b4fabf3f84a25c70794ebe |
| SHA1 | 565de9fc273ed659d06b7f6d17599277307aac3d |
| SHA256 | 5c600c555bf8f455825bc85990c920a71e8a1a8ca6606ee71e8c7792e685586d |
| SHA512 | d7e1669c4d38ceae7b36058a74c3404c98d6f0c95b30e32cb84b7382f2b9ef8b0861600d3bec3d5c96fd00b510a7d7071645f8149e6047df6b36208ceb1b5da6 |
C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
| MD5 | d3f258e76b471b2bc916430d8bca7767 |
| SHA1 | 5875066301e50eda91c909603adaa0af3feb8f63 |
| SHA256 | 2486aac16eeae2d8873aafd70759b9444129da6a95130081a7cca0cfce5daf6c |
| SHA512 | 8acbddf9ca368088a76adf2712559f38e0da3f5dfdb4c280d225868c21cc39aafd9841cbce3639870ef04142f84a1c4cd887dddc60a37a3359c64eb3ef205028 |
C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
| MD5 | e7be5fcab508e901792b7702cc17ca34 |
| SHA1 | a12514f150427fa95b3cb4bafed56b38da8aca9f |
| SHA256 | 9a81f08e9375e9c6719287496ed7f6c488afe1963bcbc9c80f1a875359b729c0 |
| SHA512 | 4416b9f25e64f9b53b14ef549a2e0cd55f954de07748b4aa71b20c487b9576493132b85ff3fa4cf8af5a51a8f4110f87f8fcb7649cef96523a86954df96f0e2d |
C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
| MD5 | 03c49e9812d7cf15b2ba6dbff80e399f |
| SHA1 | 54ad0781a9f8cf04ff7dd51ea7f047bfa9add8de |
| SHA256 | c18d4847ea488aa96f91f36935a12eb67b403b8bace19d04a4bc33b342be26f9 |
| SHA512 | 0be40a4e6ef5f6049928cbd6d42b07a121d222408ef3facdfdd61e54baa6020ec3d3a0fc5cbb0bc2a522bea48d007380e82f93662fdfbf52e3b5d931f0e27ab6 |
C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
| MD5 | 91605a3aaff0117aed162c45b46f4e67 |
| SHA1 | 238804d6077cceb2cb87723184b81777007d1b7f |
| SHA256 | d790f038b420b7940796074a02b00daa4dc42286b174abb4a8c437fee1df9a49 |
| SHA512 | 14e295ca7bdeac41c5890d9b983ae6e88daabbb9994e789ac63f21c4eb002dbfcd7239f3fdbf32b626171951c3326beaa023f98678798ff4d80bfca286b4025c |
C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
| MD5 | 6f2be1ec9bb323df600f6be3aee4ef51 |
| SHA1 | 1532885eab1f9cb9c11010c9fe06ffe0114ffcdb |
| SHA256 | b8144fab3bfa136321096270617846fab0a3ed68bf1dd38252ef068545efd8bc |
| SHA512 | e3f80a1ef013d69f8ec2d1a36f90f3cc918ca720d7c4b1653309f7709bf4cb077cda8f17dec90b9558c30f51402321d057c729a8734f0596bdb4b58aa20d7e27 |
C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
| MD5 | 667b8e3f9f6c038e298a5bfefbd8af53 |
| SHA1 | 7d5c1c017150413b1eb0ec2a4fd7be8844cdf136 |
| SHA256 | 0ba68916f9fff81b0e9ca14f22b46dc1d8984e2d75dd8b82d652cefc36db1393 |
| SHA512 | 6c34147c0a2a6be22a71252e47e278187e80b831bdc4fb53a0382442f3482e91becc6be52ce0cedd1d766c08beb6315b596329dff24cf8b46cdd80bb27d37899 |