Analysis
-
max time kernel
299s -
max time network
272s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
16-07-2024 22:15
Static task
static1
General
-
Target
DHL_TOC2_2407081728458457.pdf.exe
-
Size
1.0MB
-
MD5
f6ed869b733b1f2aa3bdd06040f3372a
-
SHA1
7075acf1c62e44653f5c834a14b56cd342f0ae5a
-
SHA256
05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
-
SHA512
cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582
-
SSDEEP
24576:PAHnh+eWsN3skA4RV1Hom2KXMmHasscwkKNvvD5:yh+ZkldoPK8Yassht
Malware Config
Extracted
formbook
4.1
rn94
st68v.xyz
conciergenotary.net
qwechaotk.top
rtpdonatoto29.xyz
8ad.xyz
powermove.top
cameras-30514.bond
vanguardcoffee.shop
umoe53fxc1bsujv.buzz
consultoriamax.net
hplxx.com
ndu.wtf
yzh478c.xyz
bigbrown999.site
xiake07.asia
resdai.xyz
the35678.shop
ba6rf.rest
ceo688.com
phimxhot.xyz
010101-11122-2222.cloud
champion-casino-skw.buzz
laku77.bar
popumail.net
stargazerastrology.click
beauty.university
t460.top
sparkyos.app
day2go.net
minrungis.shop
cognigrid.com
abandoned-houses-39863.bond
liderparti.store
hinet.tech
moviemax.live
business-printer-22001.bond
yakintv.pro
longmaosol.xyz
hello4d.dev
vestircool.store
surpriseinside.net
betflixfan.asia
ln2m1.shop
5302mcavt.website
conf-contact.online
31140.ooo
bdkasinoxox.xyz
nicoleb.tech
mainz-cruise-deals.today
run-run.tokyo
practicalfranchises.info
usmanovbanki-uz.space
superlottery.top
zabbet911.bet
ambassadorshipvottings.click
sangforln.tech
expertoffersusa.lat
plong.cloud
cryptoautomata.dev
dq33xa.xyz
handtools-16660.bond
24763wbk.hair
sportswear-30530.bond
lusuidnx.shop
laske.xyz
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4984-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4984-31-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/4984-51-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1452-53-0x0000000000C50000-0x0000000000C7F000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 81 1452 rundll32.exe 84 1452 rundll32.exe -
Drops startup file 4 IoCs
Processes:
Winword.exename.exetaskmgr.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Winword.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$name.vbs Winword.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\name.vbs taskmgr.exe -
Executes dropped EXE 2 IoCs
Processes:
name.exename.exepid process 2380 name.exe 4204 name.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
name.exesvchost.exerundll32.exename.exesvchost.exedescription pid process target process PID 2380 set thread context of 4984 2380 name.exe svchost.exe PID 4984 set thread context of 3280 4984 svchost.exe Explorer.EXE PID 4984 set thread context of 3280 4984 svchost.exe Explorer.EXE PID 1452 set thread context of 3280 1452 rundll32.exe Explorer.EXE PID 1452 set thread context of 2200 1452 rundll32.exe NOTEPAD.EXE PID 4204 set thread context of 2692 4204 name.exe svchost.exe PID 2692 set thread context of 3280 2692 svchost.exe Explorer.EXE -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Winword.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Winword.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Winword.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Winword.exe -
Processes:
Explorer.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEOpenWith.exetaskmgr.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "844" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "3" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\NodeSlot = "5" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000e9580786120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbee9580786f058fdb12e0000005d570200000001000000000000000000000000000000bf53bf004100700070004400610074006100000042000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 = 5a00310000000000f058fdb1100053797374656d33320000420009000400efbec5522d60f058fdb12e0000008f36000000000100000000000000000000000000000041967c00530079007300740065006d0033003200000018000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Key created \Registry\User\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\NotificationData Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000a31672c91fd2da01f7d6f96624d2da019f8a06d4cdd7da0114000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5c00310000000000e958038a14004d4943524f537e310000440009000400efbee9580786f05800b22e0000005f5702000000010000000000000000000000000000006a952b004d006900630072006f0073006f0066007400000018000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2200 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
Explorer.EXEWinword.exepid process 3280 Explorer.EXE 3352 Winword.exe 3352 Winword.exe 3280 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exetaskmgr.exerundll32.exepid process 4984 svchost.exe 4984 svchost.exe 4984 svchost.exe 4984 svchost.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 4984 svchost.exe 4984 svchost.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1452 rundll32.exe 1452 rundll32.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Explorer.EXEOpenWith.exetaskmgr.exepid process 3280 Explorer.EXE 560 OpenWith.exe 1364 taskmgr.exe -
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
name.exesvchost.exerundll32.exename.exesvchost.exepid process 2380 name.exe 4984 svchost.exe 4984 svchost.exe 4984 svchost.exe 4984 svchost.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 4204 name.exe 2692 svchost.exe 2692 svchost.exe 2692 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeExplorer.EXEtaskmgr.exerundll32.exesvchost.exedescription pid process Token: SeDebugPrivilege 4984 svchost.exe Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeDebugPrivilege 1364 taskmgr.exe Token: SeSystemProfilePrivilege 1364 taskmgr.exe Token: SeCreateGlobalPrivilege 1364 taskmgr.exe Token: SeDebugPrivilege 1452 rundll32.exe Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeSecurityPrivilege 3280 Explorer.EXE Token: SeTakeOwnershipPrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeBackupPrivilege 4964 svchost.exe Token: SeRestorePrivilege 4964 svchost.exe Token: SeSecurityPrivilege 4964 svchost.exe Token: SeTakeOwnershipPrivilege 4964 svchost.exe Token: 35 4964 svchost.exe Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE Token: SeShutdownPrivilege 3280 Explorer.EXE Token: SeCreatePagefilePrivilege 3280 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe 1364 taskmgr.exe -
Suspicious use of SetWindowsHookEx 54 IoCs
Processes:
Explorer.EXEOpenWith.exeWinword.exeMiniSearchHost.exepid process 3280 Explorer.EXE 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 560 OpenWith.exe 3352 Winword.exe 3352 Winword.exe 3352 Winword.exe 3352 Winword.exe 3352 Winword.exe 3352 Winword.exe 3352 Winword.exe 3280 Explorer.EXE 3280 Explorer.EXE 3280 Explorer.EXE 3676 MiniSearchHost.exe 3280 Explorer.EXE 3280 Explorer.EXE 3280 Explorer.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
DHL_TOC2_2407081728458457.pdf.exename.exeExplorer.EXErundll32.exeOpenWith.exename.exedescription pid process target process PID 4120 wrote to memory of 2380 4120 DHL_TOC2_2407081728458457.pdf.exe name.exe PID 4120 wrote to memory of 2380 4120 DHL_TOC2_2407081728458457.pdf.exe name.exe PID 4120 wrote to memory of 2380 4120 DHL_TOC2_2407081728458457.pdf.exe name.exe PID 2380 wrote to memory of 4984 2380 name.exe svchost.exe PID 2380 wrote to memory of 4984 2380 name.exe svchost.exe PID 2380 wrote to memory of 4984 2380 name.exe svchost.exe PID 2380 wrote to memory of 4984 2380 name.exe svchost.exe PID 3280 wrote to memory of 1364 3280 Explorer.EXE taskmgr.exe PID 3280 wrote to memory of 1364 3280 Explorer.EXE taskmgr.exe PID 3280 wrote to memory of 1452 3280 Explorer.EXE rundll32.exe PID 3280 wrote to memory of 1452 3280 Explorer.EXE rundll32.exe PID 3280 wrote to memory of 1452 3280 Explorer.EXE rundll32.exe PID 1452 wrote to memory of 4284 1452 rundll32.exe cmd.exe PID 1452 wrote to memory of 4284 1452 rundll32.exe cmd.exe PID 1452 wrote to memory of 4284 1452 rundll32.exe cmd.exe PID 560 wrote to memory of 3352 560 OpenWith.exe Winword.exe PID 560 wrote to memory of 3352 560 OpenWith.exe Winword.exe PID 3280 wrote to memory of 2200 3280 Explorer.EXE NOTEPAD.EXE PID 3280 wrote to memory of 2200 3280 Explorer.EXE NOTEPAD.EXE PID 3280 wrote to memory of 4204 3280 Explorer.EXE name.exe PID 3280 wrote to memory of 4204 3280 Explorer.EXE name.exe PID 3280 wrote to memory of 4204 3280 Explorer.EXE name.exe PID 4204 wrote to memory of 2692 4204 name.exe svchost.exe PID 4204 wrote to memory of 2692 4204 name.exe svchost.exe PID 4204 wrote to memory of 2692 4204 name.exe svchost.exe PID 4204 wrote to memory of 2692 4204 name.exe svchost.exe PID 3280 wrote to memory of 464 3280 Explorer.EXE explorer.exe PID 3280 wrote to memory of 464 3280 Explorer.EXE explorer.exe PID 3280 wrote to memory of 464 3280 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4984 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /02⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1364 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:4284
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2200 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2692 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:464
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3576
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Program Files\Microsoft Office\root\Office16\Winword.exe"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"2⤵
- Drops startup file
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3352
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5e0a5cf114d58f8ee0ff4291a867fd137
SHA11b158ff65388347954508f5b7f199371e19223e3
SHA256eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e
SHA5128546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
179KB
MD58f00c6312ecadd84097fa759d4df7fc2
SHA1bff90ea1e4bf123c54eeffe5337c7f43067e9828
SHA2567cc40b0a90a7248a40b11eadd9a1c059758dfb69731749a103cc4cf21985f8d0
SHA5121f63f9ec423c24c4012ab5464ebea81d4b251a00a6cc38e2fd021ddf84ad51306363fa96bb544c3b83a4d8cc28524c0b1a082b80ec22f2cb4db775fd71025b6c
-
Filesize
9KB
MD56f11e5dd4b19acaef0d6e1f3f6e5cfb4
SHA10ded7178b036bfa3b7fba86ecb88000a372791ab
SHA256ff110fbcc707afdc95d485e379ffeefa6db7b9eef3535e22a2f73c6998c04963
SHA512a6a2b7103178ef4932a62574b94197cacfd7711c58f4b1c05d78d58ad0c8e9d18856ecc7e3fe1f3411c9e81b0666675b0f512e609b8808867ffe6396d96b23f2
-
Filesize
185KB
MD558078733b08c9abd4a1d6945eedd33f7
SHA19d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2
SHA256b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7
SHA51287b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40
-
Filesize
1.0MB
MD5f6ed869b733b1f2aa3bdd06040f3372a
SHA17075acf1c62e44653f5c834a14b56cd342f0ae5a
SHA25605b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
SHA512cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582
-
Filesize
305B
MD576eea5cac5570de6a36d8f8c509b6088
SHA15f4ca779b3ad7a44864465026888dd239b2333db
SHA256602c714add305bdd48f3bb39fae2ab896cd8d0321a2d721104574b92d7ba9793
SHA5126e011e89d7fdd94d0bcb7f9e48ce3d06fa6222b0ddbeb7288e26c2218975bd1a6562d9785f54df23601595cb524e49b87ba1752b198560f1c2287d49e91366a4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD52595c393965508c2d12ac0706fe0bbcf
SHA149b338c5bb213c1842e768e06cfc1ba47e9076bd
SHA256a6db86172e953f361280ed45258cdd5225ae27b1abefc82d57e3d9a51a4672f9
SHA5128b3489b14893051315cac3d95987470624b25132d86e981f34e66ad51597de642d2c2bee931e49d4434cc8346fcf4909ef3a01e64db1077daaa4f5ffc19b20b4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize7KB
MD5f7fc3d261a9c0dcbe4441b15020e9b2b
SHA1f99757accb8c3fc17bc48dbefec21507c0e6c30f
SHA2566d282a872743f8ff55b19478f7d9348a60df949ebc86aceb599f78425993be3b
SHA5128f77e608c0ea249d8f45d7beb5115488d6e36b6c58d7942e1039e4126bc702843a006db1d6753f97e5413a0059d64b91efbe70cb8ab35038c04c798d3d217032
-
Filesize
268B
MD5cabb1f8d30a7147e4fb96b9be21a18ed
SHA1e8d7d546f002126219644f2d21426f4a5ed0131c
SHA256460491914d4528305288989dbd120da00ceb14a9ff8436c30485876e9a27bad2
SHA512f36ed295204e99d9f3e5107617fdba641b2cb06325508d1dac4b337366b04c8937582ad4609a7f8e8e7d1900e4b75596ccad4d717687d9d3f45ccc72099031de