Malware Analysis Report

2025-08-05 11:30

Sample ID 241111-pz1abszalr
Target c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N
SHA256 c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919

Threat Level: Likely malicious

The file c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 12:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 12:46

Reported

2024-11-11 12:48

Platform

win7-20241010-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC} C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}\stubpath = "C:\\Windows\\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe" C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A} C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{700B662E-1091-4508-B4B3-61082259EC1A}\stubpath = "C:\\Windows\\{700B662E-1091-4508-B4B3-61082259EC1A}.exe" C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179} C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A}\stubpath = "C:\\Windows\\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe" C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}\stubpath = "C:\\Windows\\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe" C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E081B303-FB06-4603-B6CF-8459EC78466A} C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2}\stubpath = "C:\\Windows\\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe" C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B} C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}\stubpath = "C:\\Windows\\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe" C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A1DFEC-78EE-4b25-B579-5D686B7D493F} C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBDF962B-8049-4667-A893-F02469AFC179}\stubpath = "C:\\Windows\\{DBDF962B-8049-4667-A893-F02469AFC179}.exe" C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}\stubpath = "C:\\Windows\\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe" C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF781A25-309F-4286-AF85-DE6DD161BDE2} C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6} C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}\stubpath = "C:\\Windows\\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe" C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B} C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
File created C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe N/A
File created C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe N/A
File created C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe N/A
File created C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe N/A
File created C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe N/A
File created C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe N/A
File created C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe N/A
File created C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
PID 2440 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
PID 2440 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
PID 2440 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2980 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
PID 2488 wrote to memory of 2980 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
PID 2488 wrote to memory of 2980 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
PID 2488 wrote to memory of 2980 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe
PID 2488 wrote to memory of 2852 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2852 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2852 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2488 wrote to memory of 2852 N/A C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2344 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
PID 2980 wrote to memory of 2344 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
PID 2980 wrote to memory of 2344 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
PID 2980 wrote to memory of 2344 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe
PID 2980 wrote to memory of 2728 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2728 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2728 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2728 N/A C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2708 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
PID 2344 wrote to memory of 2708 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
PID 2344 wrote to memory of 2708 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
PID 2344 wrote to memory of 2708 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe
PID 2344 wrote to memory of 2736 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2736 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2736 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2736 N/A C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
PID 2708 wrote to memory of 2412 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe
PID 2708 wrote to memory of 2924 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2924 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2924 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2924 N/A C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2332 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
PID 2412 wrote to memory of 2332 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
PID 2412 wrote to memory of 2332 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
PID 2412 wrote to memory of 2332 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe
PID 2412 wrote to memory of 1632 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1632 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1632 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1632 N/A C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2900 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
PID 2332 wrote to memory of 2900 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
PID 2332 wrote to memory of 2900 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
PID 2332 wrote to memory of 2900 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe
PID 2332 wrote to memory of 2692 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2692 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2692 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2692 N/A C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1376 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
PID 2900 wrote to memory of 1376 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
PID 2900 wrote to memory of 1376 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
PID 2900 wrote to memory of 1376 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe
PID 2900 wrote to memory of 1028 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1028 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1028 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1028 N/A C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe

"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"

C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe

C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul

C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe

C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1C0AA~1.EXE > nul

C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe

C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E081B~1.EXE > nul

C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe

C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BF781~1.EXE > nul

C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe

C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{149E1~1.EXE > nul

C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe

C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E3799~1.EXE > nul

C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe

C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{23A1D~1.EXE > nul

C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe

C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{700B6~1.EXE > nul

C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe

C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{DBDF9~1.EXE > nul

Network

N/A

Files

C:\Windows\{1C0AA2EB-94FC-43f4-A034-BFB6EF7D5D3B}.exe

MD5 ea7f26a16a89bed39f55133417fe25c8
SHA1 4e3dcc2bdc5a15029caf2f4710911a6d62c3a142
SHA256 8ffe4850eb35c6d68e91f5ecc3f9848157e31f5f9b073717c1640db502ade522
SHA512 b041b04b79889107c4d83c6d895e7f48423d0742c8ef4e2061af006005d628e85fe7d3f6a6383b0d23002523515601a1f69f7bf1bc8a95cacef4a63420f5648e

C:\Windows\{E081B303-FB06-4603-B6CF-8459EC78466A}.exe

MD5 9594c9e4c71192bc927ed414c3c44ba1
SHA1 d3b4b5742d9e01e9b9631b33c6a5c37b8fdf2573
SHA256 6d47d9ace0ba678be82b71667ecc98de2d1965cce672cf72dc34ec980c20c1e9
SHA512 0c39f1a86d44dd4c8e373231e74a80c4fb383f929959df26c603798bedeea0eae9bc29ae647218b4fd7e200709bba562011d0c3b7a74d789cc3e9886a14c7996

C:\Windows\{BF781A25-309F-4286-AF85-DE6DD161BDE2}.exe

MD5 8dcef8c69edd68c19e459ab0e324d2b7
SHA1 423007b8c2cd1258495aa425b4db7e2619857d91
SHA256 9e84ee157a742fe6ca0f21e8286800cdd87e4d586407a96d086cef2b0283493c
SHA512 42105c4d6672917921c0ec087300f53f95bbe11f29ed2768b14316569ba7203fc90eb503b828b7d9edb5e4ea0eaa187b98f0f4d85cddead9b5b19bc4a43e2b95

C:\Windows\{149E1842-F4E3-41f5-B2DA-53D2EA41DB0B}.exe

MD5 f34a2b3cac20beb378c84e219ccbe62f
SHA1 e6beebbb8820db153c8b858054220e804d6485aa
SHA256 5768092a01eeaeb9e415afc6bbb1a64895298ee0bfa14ca0d777f6f0f38b91f3
SHA512 2cee75964509e720bd5c32581ed9481075086be702e5ff5b6ed8f5d6e3399cb8e51b80659594e4d85bae583577ba24e3e7bad2d7b694ed46a071c5f4e56070fa

C:\Windows\{E3799FB0-1447-47c6-AED4-435AC36BD9AC}.exe

MD5 bb2b7d0f2c8cde70d2465d84bfa3ae2c
SHA1 35bf71bbf4cf4c91d34c9e758806391a89238761
SHA256 1cfbbaac1e8e84e17f4449c0a2341fc44ecf3005e63d7b4fcd77b9cf2ba4a642
SHA512 e6fa44193f05281281581edffe344f07e26176098b2230ca4c9c520c91bb193b8bb6dbf6280b19edca8326d67cc07c49932af61fda4c42e2902486cf6a5d04d2

C:\Windows\{23A1DFEC-78EE-4b25-B579-5D686B7D493F}.exe

MD5 9439ee010d269158817094e843241f88
SHA1 90cf7e4c53bd54a33b7071b56eefbd18acf4b1b8
SHA256 d84377a7aad749daa58382fdc4139ecd1487545e6bbf9f3c8874330c1c7caf98
SHA512 2f17253f8bc491c98bbf4889eee28eb05e0cfe5065bca069b3ce07d65c266e010e27106e5ee0ca76b1f22acb76c1eb9836de4ee3515c7ef1159554b2b09871de

C:\Windows\{700B662E-1091-4508-B4B3-61082259EC1A}.exe

MD5 9273d6b8925dd53864277a9cb87a3afb
SHA1 cfa703d903d996447d5fe99e19a3a228847f98ff
SHA256 ed9a77585e2dff90f37d9294389d251dd930e5f78227ee40800832c88f0c266a
SHA512 930643b46acfde7c5b33f409b05a7719a2a2fa85b65780b503c9c011a250b265f278c16cef0939ea3c9dbc48be1c8bb31e5658a8468d953fef75743f821e65c6

C:\Windows\{DBDF962B-8049-4667-A893-F02469AFC179}.exe

MD5 fb4c3fb272af4399167b0542b15aea00
SHA1 cf606fd06530299e3037b15b6ef15496276f7790
SHA256 b591959f1b64818c76ac819b1dda0817e7b773cc6885fe34f090e9ddff56d0a7
SHA512 fc667fc5fe8664cff812b969c5bbc4649601ae8afab789946d8d3cb4120fdac18422da04e8f72a7707238e3b52ec4b7999c4d3071795109666bb8b3b9f0f507b

C:\Windows\{AF238ADC-3DE7-4c81-BC05-AE3308FE1BF6}.exe

MD5 eb312c3f9a6679438261de4bee7dc5c5
SHA1 69f3a4ae62444fb8fb7297069a980479b44c795a
SHA256 f3d074be2414c307741890cfa6310b2a8ac0b5402af5f26d0132c5529422dbe5
SHA512 17acaa6613084c056615497fea67f32f055e3d1a298e5ddb3b2966a5603ad40f6023e66a99a34ae35a52fa0f46456936274885016014c7e401aa97fd8adfc8c3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 12:46

Reported

2024-11-11 12:48

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}\stubpath = "C:\\Windows\\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe" C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91} C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DD3A37-11E3-4256-AEA3-B213900402C8} C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}\stubpath = "C:\\Windows\\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe" C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A57611-0E4B-44e1-BD85-E56416BFE287} C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324B0987-5959-4702-950E-C16AA867807D} C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{324B0987-5959-4702-950E-C16AA867807D}\stubpath = "C:\\Windows\\{324B0987-5959-4702-950E-C16AA867807D}.exe" C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48D87576-1B71-42a3-92AD-A08A82E6AAE8} C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD80C96-ECCD-482a-9E88-26C491E92824}\stubpath = "C:\\Windows\\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe" C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D839E3-A004-40bb-ADD5-FED1B7906FFE} C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}\stubpath = "C:\\Windows\\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe" C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB} C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1A57611-0E4B-44e1-BD85-E56416BFE287}\stubpath = "C:\\Windows\\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe" C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33DD3A37-11E3-4256-AEA3-B213900402C8}\stubpath = "C:\\Windows\\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe" C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}\stubpath = "C:\\Windows\\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe" C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}\stubpath = "C:\\Windows\\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe" C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AD80C96-ECCD-482a-9E88-26C491E92824} C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8} C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe N/A
File created C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe N/A
File created C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe N/A
File created C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe N/A
File created C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe N/A
File created C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe N/A
File created C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe N/A
File created C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
File created C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
PID 2956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
PID 2956 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe
PID 2956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1856 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
PID 924 wrote to memory of 1856 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
PID 924 wrote to memory of 1856 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe
PID 924 wrote to memory of 1100 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1100 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 1100 N/A C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 3144 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
PID 1856 wrote to memory of 3144 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
PID 1856 wrote to memory of 3144 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe
PID 1856 wrote to memory of 448 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 448 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 448 N/A C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3208 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
PID 3144 wrote to memory of 3208 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
PID 3144 wrote to memory of 3208 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe
PID 3144 wrote to memory of 1828 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1828 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1828 N/A C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 2736 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
PID 3208 wrote to memory of 2736 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
PID 3208 wrote to memory of 2736 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe
PID 3208 wrote to memory of 100 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 100 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 100 N/A C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
PID 2736 wrote to memory of 2984 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe
PID 2736 wrote to memory of 1204 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1204 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1204 N/A C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 1264 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
PID 2984 wrote to memory of 1264 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
PID 2984 wrote to memory of 1264 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe
PID 2984 wrote to memory of 3392 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3392 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3392 N/A C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 3532 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
PID 1264 wrote to memory of 3532 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
PID 1264 wrote to memory of 3532 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2388 N/A C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 1440 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
PID 3532 wrote to memory of 1440 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
PID 3532 wrote to memory of 1440 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe
PID 3532 wrote to memory of 2764 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 2764 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 2764 N/A C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe

"C:\Users\Admin\AppData\Local\Temp\c11bdd0ffa0ebb0e0a43c63381fdc2a073a87b44cb83f44cc7417b0c56039919N.exe"

C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe

C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C11BDD~1.EXE > nul

C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe

C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{324B0~1.EXE > nul

C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe

C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{48D87~1.EXE > nul

C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe

C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1D277~1.EXE > nul

C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe

C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{33DD3~1.EXE > nul

C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe

C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{865B8~1.EXE > nul

C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe

C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{B1A57~1.EXE > nul

C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe

C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{6AD80~1.EXE > nul

C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe

C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{A6F93~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Windows\{324B0987-5959-4702-950E-C16AA867807D}.exe

MD5 67a38068697c4b73b41487d5b5cfc039
SHA1 4220a4c17c6513904ef295626d4b2f12231092ba
SHA256 e2da00b5b6a2202aabd925c2e8a17dc54d5c5a5ce94c9699cdfd1a15aca32e4f
SHA512 0dd20d9c90e6439cdb2f289d083eea443372ccabdca05c679427256664654cdfab3f0845a27478fadfd440b73ad40c13e45226500684a917d5df6db05edf5d0e

C:\Windows\{48D87576-1B71-42a3-92AD-A08A82E6AAE8}.exe

MD5 d25b1dc1c20ef599974c3b1b00ba0943
SHA1 226cdc015c718145d7283a73825e8a7263c44d33
SHA256 5a0cad8af25528a5f57e641023f65ba51321cf9e42489427f7adbb18a8b0dce5
SHA512 8318cc37fdb5f88efc988814f93ce80157f69f5b50ef7023fdcffcd197dc9e5721be1421e73defc2ae934d532e0e4e4fd6cf39e44bc3e2f15958602dbb78dcec

C:\Windows\{1D2770E3-DBE8-4188-9EE6-51EA4B7B1F91}.exe

MD5 a29c367a41b4fabf3f84a25c70794ebe
SHA1 565de9fc273ed659d06b7f6d17599277307aac3d
SHA256 5c600c555bf8f455825bc85990c920a71e8a1a8ca6606ee71e8c7792e685586d
SHA512 d7e1669c4d38ceae7b36058a74c3404c98d6f0c95b30e32cb84b7382f2b9ef8b0861600d3bec3d5c96fd00b510a7d7071645f8149e6047df6b36208ceb1b5da6

C:\Windows\{33DD3A37-11E3-4256-AEA3-B213900402C8}.exe

MD5 d3f258e76b471b2bc916430d8bca7767
SHA1 5875066301e50eda91c909603adaa0af3feb8f63
SHA256 2486aac16eeae2d8873aafd70759b9444129da6a95130081a7cca0cfce5daf6c
SHA512 8acbddf9ca368088a76adf2712559f38e0da3f5dfdb4c280d225868c21cc39aafd9841cbce3639870ef04142f84a1c4cd887dddc60a37a3359c64eb3ef205028

C:\Windows\{865B8544-D1DC-4f25-BF42-3296C3DBEFFB}.exe

MD5 e7be5fcab508e901792b7702cc17ca34
SHA1 a12514f150427fa95b3cb4bafed56b38da8aca9f
SHA256 9a81f08e9375e9c6719287496ed7f6c488afe1963bcbc9c80f1a875359b729c0
SHA512 4416b9f25e64f9b53b14ef549a2e0cd55f954de07748b4aa71b20c487b9576493132b85ff3fa4cf8af5a51a8f4110f87f8fcb7649cef96523a86954df96f0e2d

C:\Windows\{B1A57611-0E4B-44e1-BD85-E56416BFE287}.exe

MD5 03c49e9812d7cf15b2ba6dbff80e399f
SHA1 54ad0781a9f8cf04ff7dd51ea7f047bfa9add8de
SHA256 c18d4847ea488aa96f91f36935a12eb67b403b8bace19d04a4bc33b342be26f9
SHA512 0be40a4e6ef5f6049928cbd6d42b07a121d222408ef3facdfdd61e54baa6020ec3d3a0fc5cbb0bc2a522bea48d007380e82f93662fdfbf52e3b5d931f0e27ab6

C:\Windows\{6AD80C96-ECCD-482a-9E88-26C491E92824}.exe

MD5 91605a3aaff0117aed162c45b46f4e67
SHA1 238804d6077cceb2cb87723184b81777007d1b7f
SHA256 d790f038b420b7940796074a02b00daa4dc42286b174abb4a8c437fee1df9a49
SHA512 14e295ca7bdeac41c5890d9b983ae6e88daabbb9994e789ac63f21c4eb002dbfcd7239f3fdbf32b626171951c3326beaa023f98678798ff4d80bfca286b4025c

C:\Windows\{A6F93E90-3388-41d1-987C-8D8DCA9A3DF8}.exe

MD5 6f2be1ec9bb323df600f6be3aee4ef51
SHA1 1532885eab1f9cb9c11010c9fe06ffe0114ffcdb
SHA256 b8144fab3bfa136321096270617846fab0a3ed68bf1dd38252ef068545efd8bc
SHA512 e3f80a1ef013d69f8ec2d1a36f90f3cc918ca720d7c4b1653309f7709bf4cb077cda8f17dec90b9558c30f51402321d057c729a8734f0596bdb4b58aa20d7e27

C:\Windows\{43D839E3-A004-40bb-ADD5-FED1B7906FFE}.exe

MD5 667b8e3f9f6c038e298a5bfefbd8af53
SHA1 7d5c1c017150413b1eb0ec2a4fd7be8844cdf136
SHA256 0ba68916f9fff81b0e9ca14f22b46dc1d8984e2d75dd8b82d652cefc36db1393
SHA512 6c34147c0a2a6be22a71252e47e278187e80b831bdc4fb53a0382442f3482e91becc6be52ce0cedd1d766c08beb6315b596329dff24cf8b46cdd80bb27d37899