Malware Analysis Report

2025-08-11 08:18

Sample ID 241112-n2zk5sscqa
Target aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe
SHA256 4f4d9cf53a05df7f2a0eb520737b83586ea875090d2eceb7fbdfe969b871fc9d
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4f4d9cf53a05df7f2a0eb520737b83586ea875090d2eceb7fbdfe969b871fc9d

Threat Level: Likely malicious

The file aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Boot or Logon Autostart Execution: Active Setup

Deletes itself

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 11:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 11:54

Reported

2024-11-12 11:56

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}\stubpath = "C:\\Windows\\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe" C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57B644B-075B-4e6d-A86D-297BCD625BA0}\stubpath = "C:\\Windows\\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe" C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}\stubpath = "C:\\Windows\\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe" C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047} C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A23CC6E-4004-4790-88CE-AA3047AD24D7} C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}\stubpath = "C:\\Windows\\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe" C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B4F8D7-6196-4d0c-909D-3E50D3C54834} C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5} C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93750D06-50CE-4665-8383-FCAE56E6DDAC}\stubpath = "C:\\Windows\\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe" C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57B644B-075B-4e6d-A86D-297BCD625BA0} C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037} C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}\stubpath = "C:\\Windows\\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe" C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39} C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}\stubpath = "C:\\Windows\\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe" C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94} C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}\stubpath = "C:\\Windows\\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe" C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}\stubpath = "C:\\Windows\\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe" C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93750D06-50CE-4665-8383-FCAE56E6DDAC} C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe N/A
File created C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe N/A
File created C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe N/A
File created C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
File created C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe N/A
File created C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe N/A
File created C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe N/A
File created C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe N/A
File created C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
PID 2516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
PID 2516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
PID 2516 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
PID 2516 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2516 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
PID 2956 wrote to memory of 2856 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
PID 2956 wrote to memory of 2720 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2720 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2720 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2720 N/A C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2844 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
PID 2856 wrote to memory of 2844 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
PID 2856 wrote to memory of 2844 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
PID 2856 wrote to memory of 2844 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
PID 2856 wrote to memory of 2600 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2600 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2600 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2600 N/A C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2572 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
PID 2844 wrote to memory of 2572 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
PID 2844 wrote to memory of 2572 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
PID 2844 wrote to memory of 2572 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
PID 2844 wrote to memory of 2640 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2640 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2640 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 2640 N/A C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
PID 2572 wrote to memory of 2536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
PID 2572 wrote to memory of 2536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
PID 2572 wrote to memory of 2536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
PID 2572 wrote to memory of 1536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1536 N/A C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 348 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
PID 2536 wrote to memory of 348 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
PID 2536 wrote to memory of 348 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
PID 2536 wrote to memory of 348 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
PID 2536 wrote to memory of 2792 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\SysWOW64\cmd.exe
PID 2536 wrote to memory of 2792 N/A C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 2328 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
PID 348 wrote to memory of 2328 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
PID 348 wrote to memory of 2328 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
PID 348 wrote to memory of 2328 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
PID 348 wrote to memory of 1624 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 1624 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 1624 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\SysWOW64\cmd.exe
PID 348 wrote to memory of 1624 N/A C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1420 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
PID 2328 wrote to memory of 1420 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
PID 2328 wrote to memory of 1420 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
PID 2328 wrote to memory of 1420 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
PID 2328 wrote to memory of 1248 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1248 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1248 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1248 N/A C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe

"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"

C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe

C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul

C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe

C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF5A~1.EXE > nul

C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe

C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C6E~1.EXE > nul

C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe

C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{1A23C~1.EXE > nul

C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe

C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D57B6~1.EXE > nul

C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe

C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D05A1~1.EXE > nul

C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe

C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{50B4F~1.EXE > nul

C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe

C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{25F6C~1.EXE > nul

C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe

C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{F20DD~1.EXE > nul

Network

N/A

Files

C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe

MD5 db4a64a7c61f7e9063dd8fbc2da44f7e
SHA1 94cb313c00a8b1f79acf30581b29c7fdcb309a21
SHA256 9b5306440ae97a56b9c9d0d59270a3c87576729a8fe111df9632e2b24a2d5e37
SHA512 be477969350816be00790c6bc62ff9fd091827535f31ee04434fbc9809664e03d377d379a1e72e78d41da0e5b14b309bc36d302c438c593c3efb8c83ee878c10

C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe

MD5 726d85c74b266b18630dd35343aa7a32
SHA1 22bbcad612ad51c26a36114d8429320c03bd906d
SHA256 e159f1d4dd980bb303d21156ead2b048bacb187e1cc4b38401a297c1303c3a3e
SHA512 30311ee7a16d56a1b03e1894c6a91253d80ac749def5e867e0d3c8404825a5f2922d0a420c406917a432a7b0b26355f5cc5cab08df15c111065a76d64106d716

C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe

MD5 c70fde1c1574978736f7498bf4fea0d1
SHA1 58dbf70743c74bed7b6e3c82b60a8c06f5163507
SHA256 ca49741fccd80f07106bbc992e5f6ece17ff6fbecee6c85567c2a746c39810aa
SHA512 f7e03d3addd59b32ff9b98b7521febb9e6c2b29f81a3738d1f44851c2c1b37f86e83afacee7437b266156fe51b0504328e59d68d31c5cf13c47f92850e2a3e6b

C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe

MD5 3db51fa482f8aad0d0a7a2c494ab9587
SHA1 cfb1772f5afb9d9e1f900f0d8c7961c5da659a6c
SHA256 65365886a6c8e125d6cc4a8d80ed0743082cb3e5422ec9898c322b684e5ff765
SHA512 f07f397979b25bd35c232fd765a0d8bd8136f1a0ee25a34eb643b9e3bebace71d520f86dd7af198b0b75f74a064a87f92417282e10b035815af6b826ebe63a2a

C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe

MD5 703fc283c0621abd0871e4982a008d74
SHA1 37b1f85192978210f861b3adc025b34c4bde67c8
SHA256 205b8753fc35516b4e938f26004c7da2646abe5c0a0453ed82a3c00ff4616371
SHA512 2c533002c1efb43f86b93eab2d7a65931a58acadad208cd6c4abcb45fbdfec450c8bd3bf218790f7211e1ee485a554f8df9173ac65ff859346a1232808622339

C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe

MD5 fde9e7a0a210fbe613555f8b1448b716
SHA1 c288d302b33da89b7ce1e238171f760d0de335fa
SHA256 afdf8a41bc6bebf0102c884c698c3c3b26a3cf04f658d340a64d1068a78e5a1f
SHA512 e91bbff83f09ea2b75a3f9d4e11be50cd75a9582efbaa8da81e232e466101e09c66891a2056f95b89bd02fb61aab3e813ccff4b2c0153796c91d9a607784ee5f

C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe

MD5 fa93b4846d68528eabc40ad11f58cee8
SHA1 7e4e686e210ab2849212a6e7827311546c4ce895
SHA256 6311161dba08bdae6c4e9231d437dce5a3432e94a95538f8e06493a7405ebf22
SHA512 934c68b1a62538b9c850b136da11f2125d89d288caae5f2e5ea6c8df3f5ff1d374c87562369174b5dc5bec070a94d317e71b15e65f3fe77071c77b251b44177a

C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe

MD5 e31768f51fd04c824a945366687049fe
SHA1 a8005e1484ac949f12956d0fd75133163c9f69bf
SHA256 a70918d39c65595947ea7aea10e11dae73f5b28cbbbba5972cd0a45d3e994d5d
SHA512 a4811657e888a89399d4a57fe7176c1161f98785bd1565b3438f551a9742a947b6044da1f0c51ab00947bf7443788d679d0ac76c60bcd4db3982d32085169ba3

C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe

MD5 6f7d4d91ba67164cf496ecf3368ae678
SHA1 aca6b11174cae0091ac61104c854f25c107a2a56
SHA256 f1670ba78275459d7019c960d32f57250b729328c18255c55c357814769074d4
SHA512 e72b5517ae8f8feca8a461a5f67a817b0020b540bb4d86993c603f3fe9d96e963062bc63aabc648ca497aa2cc16043404dae45c936b8760e4ad06917ab3d94a5

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 11:54

Reported

2024-11-12 11:56

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}\stubpath = "C:\\Windows\\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe" C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372A024F-38F9-4d28-800F-8799DC9EF3BC}\stubpath = "C:\\Windows\\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe" C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}\stubpath = "C:\\Windows\\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe" C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}\stubpath = "C:\\Windows\\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe" C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}\stubpath = "C:\\Windows\\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe" C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F25992D-B821-4379-985B-FECEE68AD956} C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}\stubpath = "C:\\Windows\\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe" C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE017E74-8183-43cb-88C3-68DB376A5894} C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DE3039-5CB2-417e-AD2C-8EF8A175108B} C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE017E74-8183-43cb-88C3-68DB376A5894}\stubpath = "C:\\Windows\\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe" C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DA0A64-F514-4e25-B30C-DBB82CFF6588} C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5791936-CECE-4ea8-AF6E-9529E9B824E4} C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D29330FE-F66F-4ce3-BA89-5714855D72D2}\stubpath = "C:\\Windows\\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe" C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372A024F-38F9-4d28-800F-8799DC9EF3BC} C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F25992D-B821-4379-985B-FECEE68AD956}\stubpath = "C:\\Windows\\{5F25992D-B821-4379-985B-FECEE68AD956}.exe" C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472} C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D29330FE-F66F-4ce3-BA89-5714855D72D2} C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7} C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe N/A
File created C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe N/A
File created C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe N/A
File created C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe N/A
File created C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe N/A
File created C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe N/A
File created C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
File created C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe N/A
File created C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
PID 2572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
PID 2572 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
PID 2572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
PID 2484 wrote to memory of 1236 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
PID 2484 wrote to memory of 1224 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1224 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 1224 N/A C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 3264 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
PID 1236 wrote to memory of 3264 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
PID 1236 wrote to memory of 3264 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
PID 1236 wrote to memory of 2664 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2664 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 2664 N/A C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 1904 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
PID 3264 wrote to memory of 1904 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
PID 3264 wrote to memory of 1904 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
PID 3264 wrote to memory of 3424 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 3424 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 3264 wrote to memory of 3424 N/A C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 4964 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
PID 1904 wrote to memory of 4964 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
PID 1904 wrote to memory of 4964 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
PID 1904 wrote to memory of 1992 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1992 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1992 N/A C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 4540 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
PID 4964 wrote to memory of 4540 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
PID 4964 wrote to memory of 4540 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
PID 4964 wrote to memory of 1988 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 1988 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4964 wrote to memory of 1988 N/A C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 4708 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
PID 4540 wrote to memory of 4708 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
PID 4540 wrote to memory of 4708 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
PID 4540 wrote to memory of 2556 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 2556 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\SysWOW64\cmd.exe
PID 4540 wrote to memory of 2556 N/A C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1740 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
PID 4708 wrote to memory of 1740 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
PID 4708 wrote to memory of 1740 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
PID 4708 wrote to memory of 1280 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1280 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 1280 N/A C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4352 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
PID 1740 wrote to memory of 4352 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
PID 1740 wrote to memory of 4352 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
PID 1740 wrote to memory of 4388 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4388 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 4388 N/A C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe

"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"

C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe

C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul

C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe

C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BD7~1.EXE > nul

C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe

C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{D2933~1.EXE > nul

C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe

C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{372A0~1.EXE > nul

C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe

C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{5F259~1.EXE > nul

C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe

C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{94DE3~1.EXE > nul

C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe

C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{CE017~1.EXE > nul

C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe

C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{55DA0~1.EXE > nul

C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe

C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Windows\{E5791~1.EXE > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe

MD5 2012f338e453a762823bcc1d12d9fc0c
SHA1 a3ecf3ee47857698e0b6637b03ee7a10e7b63680
SHA256 c4d5eea4f1622e71d542f837b5361de820abc2d7569dc884ef0129bf0e7170e8
SHA512 fee19596aee9360e60dc48175365b488cd1bcc5bf2e593b377ad3a9fce9dcf7dd7551efe6d3e00195978ba6deef61d84bd75bf9af2aa261acc27784041cb9fc7

C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe

MD5 f37be09772eb46097ca0c20db4d74b14
SHA1 35dcf80e926af1c4b530840e6ca56ca53db0e8d7
SHA256 988546a59c051561eba171f92c93d0b9d1bc3250abe93e0b277743a1b0058687
SHA512 4acc6a03e38d959876844d002e51becaa4973f1937b3c1ba4e90ad6c33bc5f51fda2c04398484b21544e6b7c4af302c6eb3575bfda5a181606cb5ccf20e5a096

C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe

MD5 d5e7cb505ba7fcbc752d5f2e6cc78f22
SHA1 c38d4781f96cde21ab894f7ecd1b310e413e9758
SHA256 aa34d3441ddc7349f77fc74aa844274c53f33c6b015af38771c1dadc0d6ee353
SHA512 d1c0feafb960ad07728f4f9bc4de39e4f36e9207d8d75fb752b5bd3d42ed5f0b98b6b764d6fdcc012885ac640d918547d057f41a17c7e993d703447c513c989b

C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe

MD5 ee1d5cea364ffbc83826b74d3d06bb6e
SHA1 184b86ccb255c53fca750801305c5e78080c0a79
SHA256 79f83d3ff7f0f5b586c33d3343984b7e9fc46f83aca9617f42aa729f80f37c93
SHA512 f35b0adedddf8c48d81bece19910bc0df2aaf31312b7c2f007eea95f30672bdddda48c20cbcd67f9ffeb070f854863171898c5915af3e73487e232c24183f8ab

C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe

MD5 9490138ad2a553ef80d158fbd52666f8
SHA1 a03bc435a0d5eedccbff2c58e34be517d49a7983
SHA256 ada6c711ebcbc8355675c7924ea2b820ffa381a5a69d92cb7cf49718d9efc61f
SHA512 8b453277c1f05ffc2ac51a5030d44d7549d9ceb68a8adf1db2a5e8ca1e8eb4ee534b0e05d36ea1dba97e7e9794ef1b234d392bfcc259b340bbf86e34ffe4f7bd

C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe

MD5 3d7511af92463a8cb355d8e0a0864fb9
SHA1 4ccaabb0e68a83393e06d1cbebc91a53b55c016d
SHA256 3656ff46d413138e1052557670359b3b2dff46b26bf6e85878290a877d84455b
SHA512 32d0e1c640c9ca7f92558eda8a1bd9053f325c69fd7b57ee8932e86e230ae83bc261f357da29ab649cbbefc6b1ac3dc3d4230fb2b01f58375676596f868af4a9

C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe

MD5 76dee18ee8c1ab72aba5b1b7a004af39
SHA1 09e283681cfd0aa723388392de1fcd797807d546
SHA256 a9db0beae15dbce4658a32f84f1cffd37df41ed827ae33f5b79d770dfc59ea5e
SHA512 298e71a68d8202bfc96e75f53f84090bc0171509d106bc3e72f1156d2876c522a31a84a3e86b0ca1ad9f4f0af588334676d402133749c0d19acb9a99a9929e8c

C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe

MD5 a053a79a20a5fd39641139f2ee1e6510
SHA1 70f8c2581bd821dbe8d7efa4f1e1b00a7dc801c9
SHA256 51ef7431faa1b2fb060b4d490649fa7704682c13711147c01e27d860a47b710a
SHA512 d2e6d9b3eaf8728cbf468dc3c0a7990dc9be11358646e02e07dc3ef5cb40f6d92a0e1ccdba1f21b78e1b0e0f9ac7483254434caed7eb73c530e7270c8ff7ab08

C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe

MD5 a48f6646f28f7fe90a287b31d99f0dd1
SHA1 3aaec62ffda845926f2b6e778bb22237d690cdaf
SHA256 a1c80b4f9fb2bfbb605779b4315b74379a5006489a71fc561744f1ffa4dde6f6
SHA512 4f8d3efe9d581e11dd1e964fc9caa839a60e1c0ddd99243d1fc25e97ad7629e67a71bb603d14642e369ee00edc148f2bb89f2e45592d516bd1c4393d5765f43b