Analysis Overview
SHA256
4f4d9cf53a05df7f2a0eb520737b83586ea875090d2eceb7fbdfe969b871fc9d
Threat Level: Likely malicious
The file aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe was found to be: Likely malicious.
Malicious Activity Summary
Boot or Logon Autostart Execution: Active Setup
Deletes itself
Executes dropped EXE
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 11:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 11:54
Reported
2024-11-12 11:56
Platform
win7-20240903-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}\stubpath = "C:\\Windows\\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe" | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57B644B-075B-4e6d-A86D-297BCD625BA0}\stubpath = "C:\\Windows\\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe" | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}\stubpath = "C:\\Windows\\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe" | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047} | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A23CC6E-4004-4790-88CE-AA3047AD24D7} | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}\stubpath = "C:\\Windows\\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe" | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B4F8D7-6196-4d0c-909D-3E50D3C54834} | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5} | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93750D06-50CE-4665-8383-FCAE56E6DDAC}\stubpath = "C:\\Windows\\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe" | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D57B644B-075B-4e6d-A86D-297BCD625BA0} | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037} | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}\stubpath = "C:\\Windows\\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe" | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39} | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}\stubpath = "C:\\Windows\\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe" | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94} | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}\stubpath = "C:\\Windows\\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe" | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}\stubpath = "C:\\Windows\\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe" | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93750D06-50CE-4665-8383-FCAE56E6DDAC} | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
| N/A | N/A | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
| N/A | N/A | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| N/A | N/A | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| N/A | N/A | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| N/A | N/A | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| N/A | N/A | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| N/A | N/A | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
| N/A | N/A | C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| File created | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| File created | C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
| File created | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| File created | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| File created | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| File created | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| File created | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
| File created | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe
"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"
C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul
C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BEF5A~1.EXE > nul
C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D7C6E~1.EXE > nul
C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1A23C~1.EXE > nul
C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D57B6~1.EXE > nul
C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D05A1~1.EXE > nul
C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{50B4F~1.EXE > nul
C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25F6C~1.EXE > nul
C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe
C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F20DD~1.EXE > nul
Network
Files
C:\Windows\{BEF5AAC4-BD88-4969-A0C6-4F1D19F84047}.exe
| MD5 | db4a64a7c61f7e9063dd8fbc2da44f7e |
| SHA1 | 94cb313c00a8b1f79acf30581b29c7fdcb309a21 |
| SHA256 | 9b5306440ae97a56b9c9d0d59270a3c87576729a8fe111df9632e2b24a2d5e37 |
| SHA512 | be477969350816be00790c6bc62ff9fd091827535f31ee04434fbc9809664e03d377d379a1e72e78d41da0e5b14b309bc36d302c438c593c3efb8c83ee878c10 |
C:\Windows\{D7C6E14B-3D88-4c7f-A9C0-9BFD45A7AA94}.exe
| MD5 | 726d85c74b266b18630dd35343aa7a32 |
| SHA1 | 22bbcad612ad51c26a36114d8429320c03bd906d |
| SHA256 | e159f1d4dd980bb303d21156ead2b048bacb187e1cc4b38401a297c1303c3a3e |
| SHA512 | 30311ee7a16d56a1b03e1894c6a91253d80ac749def5e867e0d3c8404825a5f2922d0a420c406917a432a7b0b26355f5cc5cab08df15c111065a76d64106d716 |
C:\Windows\{1A23CC6E-4004-4790-88CE-AA3047AD24D7}.exe
| MD5 | c70fde1c1574978736f7498bf4fea0d1 |
| SHA1 | 58dbf70743c74bed7b6e3c82b60a8c06f5163507 |
| SHA256 | ca49741fccd80f07106bbc992e5f6ece17ff6fbecee6c85567c2a746c39810aa |
| SHA512 | f7e03d3addd59b32ff9b98b7521febb9e6c2b29f81a3738d1f44851c2c1b37f86e83afacee7437b266156fe51b0504328e59d68d31c5cf13c47f92850e2a3e6b |
C:\Windows\{D57B644B-075B-4e6d-A86D-297BCD625BA0}.exe
| MD5 | 3db51fa482f8aad0d0a7a2c494ab9587 |
| SHA1 | cfb1772f5afb9d9e1f900f0d8c7961c5da659a6c |
| SHA256 | 65365886a6c8e125d6cc4a8d80ed0743082cb3e5422ec9898c322b684e5ff765 |
| SHA512 | f07f397979b25bd35c232fd765a0d8bd8136f1a0ee25a34eb643b9e3bebace71d520f86dd7af198b0b75f74a064a87f92417282e10b035815af6b826ebe63a2a |
C:\Windows\{D05A1EBE-7C3A-42ff-BBDB-CB89EE4F8037}.exe
| MD5 | 703fc283c0621abd0871e4982a008d74 |
| SHA1 | 37b1f85192978210f861b3adc025b34c4bde67c8 |
| SHA256 | 205b8753fc35516b4e938f26004c7da2646abe5c0a0453ed82a3c00ff4616371 |
| SHA512 | 2c533002c1efb43f86b93eab2d7a65931a58acadad208cd6c4abcb45fbdfec450c8bd3bf218790f7211e1ee485a554f8df9173ac65ff859346a1232808622339 |
C:\Windows\{50B4F8D7-6196-4d0c-909D-3E50D3C54834}.exe
| MD5 | fde9e7a0a210fbe613555f8b1448b716 |
| SHA1 | c288d302b33da89b7ce1e238171f760d0de335fa |
| SHA256 | afdf8a41bc6bebf0102c884c698c3c3b26a3cf04f658d340a64d1068a78e5a1f |
| SHA512 | e91bbff83f09ea2b75a3f9d4e11be50cd75a9582efbaa8da81e232e466101e09c66891a2056f95b89bd02fb61aab3e813ccff4b2c0153796c91d9a607784ee5f |
C:\Windows\{25F6C9EF-7ECB-4cee-B1CF-662F10101E39}.exe
| MD5 | fa93b4846d68528eabc40ad11f58cee8 |
| SHA1 | 7e4e686e210ab2849212a6e7827311546c4ce895 |
| SHA256 | 6311161dba08bdae6c4e9231d437dce5a3432e94a95538f8e06493a7405ebf22 |
| SHA512 | 934c68b1a62538b9c850b136da11f2125d89d288caae5f2e5ea6c8df3f5ff1d374c87562369174b5dc5bec070a94d317e71b15e65f3fe77071c77b251b44177a |
C:\Windows\{F20DDF55-CB9C-458d-9291-9863EAB3F0B5}.exe
| MD5 | e31768f51fd04c824a945366687049fe |
| SHA1 | a8005e1484ac949f12956d0fd75133163c9f69bf |
| SHA256 | a70918d39c65595947ea7aea10e11dae73f5b28cbbbba5972cd0a45d3e994d5d |
| SHA512 | a4811657e888a89399d4a57fe7176c1161f98785bd1565b3438f551a9742a947b6044da1f0c51ab00947bf7443788d679d0ac76c60bcd4db3982d32085169ba3 |
C:\Windows\{93750D06-50CE-4665-8383-FCAE56E6DDAC}.exe
| MD5 | 6f7d4d91ba67164cf496ecf3368ae678 |
| SHA1 | aca6b11174cae0091ac61104c854f25c107a2a56 |
| SHA256 | f1670ba78275459d7019c960d32f57250b729328c18255c55c357814769074d4 |
| SHA512 | e72b5517ae8f8feca8a461a5f67a817b0020b540bb4d86993c603f3fe9d96e963062bc63aabc648ca497aa2cc16043404dae45c936b8760e4ad06917ab3d94a5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 11:54
Reported
2024-11-12 11:56
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}\stubpath = "C:\\Windows\\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe" | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372A024F-38F9-4d28-800F-8799DC9EF3BC}\stubpath = "C:\\Windows\\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe" | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}\stubpath = "C:\\Windows\\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe" | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}\stubpath = "C:\\Windows\\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe" | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}\stubpath = "C:\\Windows\\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe" | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F25992D-B821-4379-985B-FECEE68AD956} | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}\stubpath = "C:\\Windows\\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe" | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE017E74-8183-43cb-88C3-68DB376A5894} | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DE3039-5CB2-417e-AD2C-8EF8A175108B} | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE017E74-8183-43cb-88C3-68DB376A5894}\stubpath = "C:\\Windows\\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe" | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55DA0A64-F514-4e25-B30C-DBB82CFF6588} | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5791936-CECE-4ea8-AF6E-9529E9B824E4} | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D29330FE-F66F-4ce3-BA89-5714855D72D2}\stubpath = "C:\\Windows\\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe" | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{372A024F-38F9-4d28-800F-8799DC9EF3BC} | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F25992D-B821-4379-985B-FECEE68AD956}\stubpath = "C:\\Windows\\{5F25992D-B821-4379-985B-FECEE68AD956}.exe" | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472} | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D29330FE-F66F-4ce3-BA89-5714855D72D2} | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7} | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| N/A | N/A | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| N/A | N/A | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| N/A | N/A | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
| N/A | N/A | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| N/A | N/A | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| N/A | N/A | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| N/A | N/A | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
| N/A | N/A | C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| File created | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| File created | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| File created | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| File created | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| File created | C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
| File created | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| File created | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| File created | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe
"C:\Users\Admin\AppData\Local\Temp\aae0b153216e452853ef124a4b3f1657c1194d5702b946bd8de72f17437bd125N.exe"
C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAE0B1~1.EXE > nul
C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D8BD7~1.EXE > nul
C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D2933~1.EXE > nul
C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{372A0~1.EXE > nul
C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5F259~1.EXE > nul
C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94DE3~1.EXE > nul
C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CE017~1.EXE > nul
C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{55DA0~1.EXE > nul
C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E5791~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Windows\{D8BD792E-C2DD-4f14-ABBA-C9C622B8E472}.exe
| MD5 | 2012f338e453a762823bcc1d12d9fc0c |
| SHA1 | a3ecf3ee47857698e0b6637b03ee7a10e7b63680 |
| SHA256 | c4d5eea4f1622e71d542f837b5361de820abc2d7569dc884ef0129bf0e7170e8 |
| SHA512 | fee19596aee9360e60dc48175365b488cd1bcc5bf2e593b377ad3a9fce9dcf7dd7551efe6d3e00195978ba6deef61d84bd75bf9af2aa261acc27784041cb9fc7 |
C:\Windows\{D29330FE-F66F-4ce3-BA89-5714855D72D2}.exe
| MD5 | f37be09772eb46097ca0c20db4d74b14 |
| SHA1 | 35dcf80e926af1c4b530840e6ca56ca53db0e8d7 |
| SHA256 | 988546a59c051561eba171f92c93d0b9d1bc3250abe93e0b277743a1b0058687 |
| SHA512 | 4acc6a03e38d959876844d002e51becaa4973f1937b3c1ba4e90ad6c33bc5f51fda2c04398484b21544e6b7c4af302c6eb3575bfda5a181606cb5ccf20e5a096 |
C:\Windows\{372A024F-38F9-4d28-800F-8799DC9EF3BC}.exe
| MD5 | d5e7cb505ba7fcbc752d5f2e6cc78f22 |
| SHA1 | c38d4781f96cde21ab894f7ecd1b310e413e9758 |
| SHA256 | aa34d3441ddc7349f77fc74aa844274c53f33c6b015af38771c1dadc0d6ee353 |
| SHA512 | d1c0feafb960ad07728f4f9bc4de39e4f36e9207d8d75fb752b5bd3d42ed5f0b98b6b764d6fdcc012885ac640d918547d057f41a17c7e993d703447c513c989b |
C:\Windows\{5F25992D-B821-4379-985B-FECEE68AD956}.exe
| MD5 | ee1d5cea364ffbc83826b74d3d06bb6e |
| SHA1 | 184b86ccb255c53fca750801305c5e78080c0a79 |
| SHA256 | 79f83d3ff7f0f5b586c33d3343984b7e9fc46f83aca9617f42aa729f80f37c93 |
| SHA512 | f35b0adedddf8c48d81bece19910bc0df2aaf31312b7c2f007eea95f30672bdddda48c20cbcd67f9ffeb070f854863171898c5915af3e73487e232c24183f8ab |
C:\Windows\{94DE3039-5CB2-417e-AD2C-8EF8A175108B}.exe
| MD5 | 9490138ad2a553ef80d158fbd52666f8 |
| SHA1 | a03bc435a0d5eedccbff2c58e34be517d49a7983 |
| SHA256 | ada6c711ebcbc8355675c7924ea2b820ffa381a5a69d92cb7cf49718d9efc61f |
| SHA512 | 8b453277c1f05ffc2ac51a5030d44d7549d9ceb68a8adf1db2a5e8ca1e8eb4ee534b0e05d36ea1dba97e7e9794ef1b234d392bfcc259b340bbf86e34ffe4f7bd |
C:\Windows\{CE017E74-8183-43cb-88C3-68DB376A5894}.exe
| MD5 | 3d7511af92463a8cb355d8e0a0864fb9 |
| SHA1 | 4ccaabb0e68a83393e06d1cbebc91a53b55c016d |
| SHA256 | 3656ff46d413138e1052557670359b3b2dff46b26bf6e85878290a877d84455b |
| SHA512 | 32d0e1c640c9ca7f92558eda8a1bd9053f325c69fd7b57ee8932e86e230ae83bc261f357da29ab649cbbefc6b1ac3dc3d4230fb2b01f58375676596f868af4a9 |
C:\Windows\{55DA0A64-F514-4e25-B30C-DBB82CFF6588}.exe
| MD5 | 76dee18ee8c1ab72aba5b1b7a004af39 |
| SHA1 | 09e283681cfd0aa723388392de1fcd797807d546 |
| SHA256 | a9db0beae15dbce4658a32f84f1cffd37df41ed827ae33f5b79d770dfc59ea5e |
| SHA512 | 298e71a68d8202bfc96e75f53f84090bc0171509d106bc3e72f1156d2876c522a31a84a3e86b0ca1ad9f4f0af588334676d402133749c0d19acb9a99a9929e8c |
C:\Windows\{E5791936-CECE-4ea8-AF6E-9529E9B824E4}.exe
| MD5 | a053a79a20a5fd39641139f2ee1e6510 |
| SHA1 | 70f8c2581bd821dbe8d7efa4f1e1b00a7dc801c9 |
| SHA256 | 51ef7431faa1b2fb060b4d490649fa7704682c13711147c01e27d860a47b710a |
| SHA512 | d2e6d9b3eaf8728cbf468dc3c0a7990dc9be11358646e02e07dc3ef5cb40f6d92a0e1ccdba1f21b78e1b0e0f9ac7483254434caed7eb73c530e7270c8ff7ab08 |
C:\Windows\{C9F4F75E-4BD8-458b-9AB4-6A54E84B0EE7}.exe
| MD5 | a48f6646f28f7fe90a287b31d99f0dd1 |
| SHA1 | 3aaec62ffda845926f2b6e778bb22237d690cdaf |
| SHA256 | a1c80b4f9fb2bfbb605779b4315b74379a5006489a71fc561744f1ffa4dde6f6 |
| SHA512 | 4f8d3efe9d581e11dd1e964fc9caa839a60e1c0ddd99243d1fc25e97ad7629e67a71bb603d14642e369ee00edc148f2bb89f2e45592d516bd1c4393d5765f43b |