Overview
overview
10Static
static
10c7cf70e4f1...03.exe
windows7-x64
1c7cf70e4f1...03.exe
windows10-2004-x64
1c7cf7f1583...df.exe
windows7-x64
3c7cf7f1583...df.exe
windows10-2004-x64
3c7e0e2cc0b...a4.exe
windows7-x64
10c7e0e2cc0b...a4.exe
windows10-2004-x64
10c82cf03dc7...94.exe
windows7-x64
3c82cf03dc7...94.exe
windows10-2004-x64
3c82e8ca52a...ec.exe
windows7-x64
7c82e8ca52a...ec.exe
windows10-2004-x64
7c855759c0f...28.exe
windows7-x64
10c855759c0f...28.exe
windows10-2004-x64
10c870e41803...a5.exe
windows7-x64
10c870e41803...a5.exe
windows10-2004-x64
10c888e1de25...e1.exe
windows7-x64
10c888e1de25...e1.exe
windows10-2004-x64
10c8a241ce60...9d.exe
windows7-x64
6c8a241ce60...9d.exe
windows10-2004-x64
7c8b8a4b9ce...ee.exe
windows7-x64
10c8b8a4b9ce...ee.exe
windows10-2004-x64
10c8bdecaa93...15.exe
windows7-x64
10c8bdecaa93...15.exe
windows10-2004-x64
10c8e7700ee6...e9.exe
windows7-x64
10c8e7700ee6...e9.exe
windows10-2004-x64
10c91bc52cc5...0c.exe
windows7-x64
7c91bc52cc5...0c.exe
windows10-2004-x64
7c93d951c2f...12.exe
windows7-x64
10c93d951c2f...12.exe
windows10-2004-x64
10c949630c94...1f.exe
windows7-x64
7c949630c94...1f.exe
windows10-2004-x64
7c94fcbd3ca...a9.exe
windows7-x64
10c94fcbd3ca...a9.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:16
Behavioral task
behavioral1
Sample
c7cf70e4f1b3a0683850a99c3f6fac8461ad028ec9f90c79eb209fa3b566e103.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c7cf70e4f1b3a0683850a99c3f6fac8461ad028ec9f90c79eb209fa3b566e103.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
c7cf7f1583d461202a26e85770a8f15a8fd83a37d1f9d3a5ce8ee19a3b7efbdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
c7cf7f1583d461202a26e85770a8f15a8fd83a37d1f9d3a5ce8ee19a3b7efbdf.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
c7e0e2cc0be8b051458a1d381ce938a5916d17ca60fbe8b55c993d41be140aa4.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
c82cf03dc74500d9c2a3451c0a01c7601f431b47003fe71220153f4734b83c94.exe
Resource
win7-20250207-en
Behavioral task
behavioral8
Sample
c82cf03dc74500d9c2a3451c0a01c7601f431b47003fe71220153f4734b83c94.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral9
Sample
c82e8ca52adaef2ad87a8f855739f4ec.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
c82e8ca52adaef2ad87a8f855739f4ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
c870e41803c86f574d467de03b94d3a5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
c870e41803c86f574d467de03b94d3a5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
c888e1de25b9c34d74509d3ed5a918e1.exe
Resource
win7-20250207-en
Behavioral task
behavioral16
Sample
c888e1de25b9c34d74509d3ed5a918e1.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
c8a241ce60ec6fd11993628cd54237d7a54831874afb79467ac1b52d6a236c9d.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
c8a241ce60ec6fd11993628cd54237d7a54831874afb79467ac1b52d6a236c9d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
c8b8a4b9ce02eacd35169b19611d51762d5cb5de0b8fd57fb2188360e330e0ee.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral21
Sample
c8bdecaa93c4ace382df013284f7209d35750e0b3de6354b0ceeababbf192915.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
c8bdecaa93c4ace382df013284f7209d35750e0b3de6354b0ceeababbf192915.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
c8e7700ee69af8f70235a048b1b5b1e9.exe
Resource
win7-20250207-en
Behavioral task
behavioral24
Sample
c8e7700ee69af8f70235a048b1b5b1e9.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
c91bc52cc51e01b3224c7a365654c1c5add7892e81432c964fd9fa8ac3c51e0c.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
c91bc52cc51e01b3224c7a365654c1c5add7892e81432c964fd9fa8ac3c51e0c.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
c949630c94733e122dc321316d68ca1f.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
c949630c94733e122dc321316d68ca1f.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
c94fcbd3ca89723863a372a980b7dfcd5ee5ef7cd41042f6aaefd68e51f39ba9.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
c94fcbd3ca89723863a372a980b7dfcd5ee5ef7cd41042f6aaefd68e51f39ba9.exe
Resource
win10v2004-20250314-en
General
-
Target
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe
-
Size
1.9MB
-
MD5
8e079931976b660c64ddb79468d6075b
-
SHA1
e728c1b735c98351be645a68934edad1f52e09b3
-
SHA256
c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428
-
SHA512
36e997cb6b10099db8271303d8b3f5fcb6166104720819afb2a257071e34dddb06d6f9178145680b4aa1712fa1e03d3ba9984cc900e6b42244bf2a3e3faa67e9
-
SSDEEP
24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD
Malware Config
Signatures
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2528 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3016 2528 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2528 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 772 2528 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1012 2528 schtasks.exe 30 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1048 2528 schtasks.exe 30 -
UAC bypass 3 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2392 powershell.exe 1192 powershell.exe 2420 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe -
Executes dropped EXE 9 IoCs
pid Process 2060 winlogon.exe 1284 winlogon.exe 1788 winlogon.exe 2276 winlogon.exe 1564 winlogon.exe 1264 winlogon.exe 1856 winlogon.exe 2400 winlogon.exe 2508 winlogon.exe -
Checks whether UAC is enabled 1 TTPs 20 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\de-DE\winlogon.exe c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe File opened for modification C:\Windows\de-DE\winlogon.exe c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe File created C:\Windows\de-DE\cc11b995f2a76d c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe File opened for modification C:\Windows\de-DE\RCX6F0A.tmp c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe File opened for modification C:\Windows\de-DE\RCX6F1B.tmp c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1048 schtasks.exe 796 schtasks.exe 3016 schtasks.exe 1700 schtasks.exe 772 schtasks.exe 1012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 2392 powershell.exe 2420 powershell.exe 1192 powershell.exe 2060 winlogon.exe 1284 winlogon.exe 1788 winlogon.exe 2276 winlogon.exe 1564 winlogon.exe 1264 winlogon.exe 1856 winlogon.exe 2400 winlogon.exe 2508 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 2060 winlogon.exe Token: SeDebugPrivilege 1284 winlogon.exe Token: SeDebugPrivilege 1788 winlogon.exe Token: SeDebugPrivilege 2276 winlogon.exe Token: SeDebugPrivilege 1564 winlogon.exe Token: SeDebugPrivilege 1264 winlogon.exe Token: SeDebugPrivilege 1856 winlogon.exe Token: SeDebugPrivilege 2400 winlogon.exe Token: SeDebugPrivilege 2508 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2392 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 37 PID 2736 wrote to memory of 2392 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 37 PID 2736 wrote to memory of 2392 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 37 PID 2736 wrote to memory of 1192 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 38 PID 2736 wrote to memory of 1192 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 38 PID 2736 wrote to memory of 1192 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 38 PID 2736 wrote to memory of 2420 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 39 PID 2736 wrote to memory of 2420 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 39 PID 2736 wrote to memory of 2420 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 39 PID 2736 wrote to memory of 2776 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 43 PID 2736 wrote to memory of 2776 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 43 PID 2736 wrote to memory of 2776 2736 c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe 43 PID 2776 wrote to memory of 2484 2776 cmd.exe 45 PID 2776 wrote to memory of 2484 2776 cmd.exe 45 PID 2776 wrote to memory of 2484 2776 cmd.exe 45 PID 2776 wrote to memory of 2060 2776 cmd.exe 46 PID 2776 wrote to memory of 2060 2776 cmd.exe 46 PID 2776 wrote to memory of 2060 2776 cmd.exe 46 PID 2060 wrote to memory of 760 2060 winlogon.exe 47 PID 2060 wrote to memory of 760 2060 winlogon.exe 47 PID 2060 wrote to memory of 760 2060 winlogon.exe 47 PID 2060 wrote to memory of 2356 2060 winlogon.exe 48 PID 2060 wrote to memory of 2356 2060 winlogon.exe 48 PID 2060 wrote to memory of 2356 2060 winlogon.exe 48 PID 760 wrote to memory of 1284 760 WScript.exe 49 PID 760 wrote to memory of 1284 760 WScript.exe 49 PID 760 wrote to memory of 1284 760 WScript.exe 49 PID 1284 wrote to memory of 2344 1284 winlogon.exe 50 PID 1284 wrote to memory of 2344 1284 winlogon.exe 50 PID 1284 wrote to memory of 2344 1284 winlogon.exe 50 PID 1284 wrote to memory of 3044 1284 winlogon.exe 51 PID 1284 wrote to memory of 3044 1284 winlogon.exe 51 PID 1284 wrote to memory of 3044 1284 winlogon.exe 51 PID 2344 wrote to memory of 1788 2344 WScript.exe 53 PID 2344 wrote to memory of 1788 2344 WScript.exe 53 PID 2344 wrote to memory of 1788 2344 WScript.exe 53 PID 1788 wrote to memory of 2828 1788 winlogon.exe 54 PID 1788 wrote to memory of 2828 1788 winlogon.exe 54 PID 1788 wrote to memory of 2828 1788 winlogon.exe 54 PID 1788 wrote to memory of 580 1788 winlogon.exe 55 PID 1788 wrote to memory of 580 1788 winlogon.exe 55 PID 1788 wrote to memory of 580 1788 winlogon.exe 55 PID 2828 wrote to memory of 2276 2828 WScript.exe 56 PID 2828 wrote to memory of 2276 2828 WScript.exe 56 PID 2828 wrote to memory of 2276 2828 WScript.exe 56 PID 2276 wrote to memory of 1724 2276 winlogon.exe 57 PID 2276 wrote to memory of 1724 2276 winlogon.exe 57 PID 2276 wrote to memory of 1724 2276 winlogon.exe 57 PID 2276 wrote to memory of 3060 2276 winlogon.exe 58 PID 2276 wrote to memory of 3060 2276 winlogon.exe 58 PID 2276 wrote to memory of 3060 2276 winlogon.exe 58 PID 1724 wrote to memory of 1564 1724 WScript.exe 59 PID 1724 wrote to memory of 1564 1724 WScript.exe 59 PID 1724 wrote to memory of 1564 1724 WScript.exe 59 PID 1564 wrote to memory of 2164 1564 winlogon.exe 60 PID 1564 wrote to memory of 2164 1564 winlogon.exe 60 PID 1564 wrote to memory of 2164 1564 winlogon.exe 60 PID 1564 wrote to memory of 1692 1564 winlogon.exe 61 PID 1564 wrote to memory of 1692 1564 winlogon.exe 61 PID 1564 wrote to memory of 1692 1564 winlogon.exe 61 PID 2164 wrote to memory of 1264 2164 WScript.exe 62 PID 2164 wrote to memory of 1264 2164 WScript.exe 62 PID 2164 wrote to memory of 1264 2164 WScript.exe 62 PID 1264 wrote to memory of 2944 1264 winlogon.exe 63 -
System policy modification 1 TTPs 30 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe"C:\Users\Admin\AppData\Local\Temp\c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe"1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yabN673CUK.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2484
-
-
C:\Windows\de-DE\winlogon.exe"C:\Windows\de-DE\winlogon.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14efedf3-18c0-4248-a640-945442780852.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3529ea3-af80-4fbb-a57c-8b55bf35def6.vbs"6⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f6672b7-6582-454b-b9c3-2421e5a9b42b.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2ac1c6b-4767-47e1-90fe-f2f96d8fb526.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1564 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50c50453-3a31-4bf3-9f16-d347391212ce.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1264 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78cd26f5-51b0-4ec6-9099-e3ed528c9fdb.vbs"14⤵PID:2944
-
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\901bab08-9f93-478a-9b57-ae74a1753618.vbs"16⤵PID:1884
-
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ee653b8-219f-40fa-8f1d-a733016b1653.vbs"18⤵PID:1876
-
C:\Windows\de-DE\winlogon.exeC:\Windows\de-DE\winlogon.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2508 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23979410-449f-4ab0-84b9-ad6305e1bc7d.vbs"20⤵PID:3036
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ffb52474-26e4-4732-9cd9-b3e675015c2b.vbs"20⤵PID:2464
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4495f6a3-a359-47c0-b561-c85f2c37586d.vbs"18⤵PID:2424
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b32a728-68be-4da1-8566-7c7ffaa87e19.vbs"16⤵PID:2880
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a77a69b-a589-4e08-92af-a7bba5422777.vbs"14⤵PID:892
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a31b60f0-6cc9-4881-8aed-a370f50b0563.vbs"12⤵PID:1692
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d371366e-41f9-48e6-88d3-4bda68c9da84.vbs"10⤵PID:3060
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fb80593-1554-4434-a433-396384e6b481.vbs"8⤵PID:580
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdd98e1-d1b6-444f-8cd4-e40d829d48c5.vbs"6⤵PID:3044
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc1ba574-ea4d-4070-a081-df8e0030afad.vbs"4⤵PID:2356
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705B
MD56ab6e2c9f5d6cfbdd5a9df4308b11059
SHA1434cd275110a38cfcb018f0abb53108375cd6ae5
SHA2562dc38e68322de0c96ed71adeb36e17b740b173a119858edd34a3ff2d8be50a6b
SHA51258d256ceebfef9586f8153a8eae92e009331e2fd67ece39716fbc0a0a385e9380e89224e58be1288385e04eb247566be7d1eff1c3b2ee3af1020c7b2f5aa2fee
-
Filesize
705B
MD5b5f2a7785dbcf100f044ead224a7a6c3
SHA1c4972ea994834c4b2a27c75e579ce4a4373ebee7
SHA256eaab4d13cbf92a7e95c3070141f89a97387b37133ac01048f313fde55d7860ac
SHA512d4c48b48b721aac9451116e1fb0a15ecf77e431e4adc0843fe388d37ade890e2aac9d47e7e5221d9ac288a39ddd20417e19b6f7b9c846ce9493dae8a09ba0084
-
Filesize
705B
MD562bc09c77853f8df6086161dd1de846c
SHA11539a6014b761ad2ca3beca1f796a85fc3968c74
SHA25662140062f009dc898f687d6d52114124fd2c01ac27fcbd7f44e67b20133cd14a
SHA51284557e23c5da2de22a73bc3fa82951de59a3722c8ec4d36af8f5c258bc89c7430fa91d69c4919434b248ee415a21a2958362bea918d46c40fa39112d1377bbbe
-
Filesize
705B
MD59cfece5570dbd3517db05585557504a7
SHA191f19dfbc1e2a8aaed33e0adf36413e4d84b9f67
SHA25611c56784f01d7bb61149455a249ae9792f868978fbfef3c2fe53f48d50611098
SHA512367365758ea5902a392d7feddf0b24d9fe71394b1a3e0a181434553e9ad2e48577929b0662f31e849c9653e7d0f6051c53acb4a23cb815ddfab9350f18e75a87
-
Filesize
705B
MD52400939c9dc77636f4f6ba6ec0d8692c
SHA16668789d75c804da94c1e390fb1244a6af705607
SHA256bc8237590d4f166044def844306aeea06a421e4077d1cc1efe3446f781b5da97
SHA512f207e0775762211ff95ab0526abb8510fdf16e715b7730efa63ad44f632e65f6a7eab3bfd6b0e6bdcbeb238a04d2308533691c9ae064fd04e12b8d6eee14f5f3
-
Filesize
705B
MD5d5b519371c006d117f51b4f25b3651c8
SHA1c6c8550ef1b28db941a21a2cffdc506f416207a9
SHA25611fc20717570489749437ca60a20f83b82f0c94f0b0ba9a591e490de04a947e2
SHA512abd2f236d4cb8921f117eadbe9f05ec99d65cca9bd786cd169c33108471dd4e2dbd42c7ecb4fa26a98f143dba0e99212187a64cc7437560467190d78bf3be76d
-
Filesize
705B
MD57a42d563f8cf7c5cb8c7c2cd7e87be0b
SHA143228842b959db7202a94726cf2fb4ecf62c9236
SHA256b42293d1feab59bda13f71679375862c4748a50d828613075771ec3706cf9a44
SHA5125be833d23bf35aa922121ca04ec97948ca7b918d9c10eab7b40d6774d36174c26684dcd1786d676ff30c4b11f71e18aab863a881725aca8953a363b5f5d095ad
-
Filesize
705B
MD5528e6df3073c1f3f0876b62d03544779
SHA1f423f2ad2d5cf418e66b7adfffa4e8385ba0d6d6
SHA25632748492d77663208fe858409628616ad7156129a697620ffb54f7467d870ff3
SHA512ba5fc36f0ff661c62397b23adcf4f1873063831f051dbda6c0527725b710da1e0d94e3e281a7cd75665e7b489cba64c0b6dc06ca91ed2a8586568ec79fe44b47
-
Filesize
481B
MD544e24eb671b69f90ecec4a5171478879
SHA1165af3ed3b735f4f8fc9fee5798c03479d85924a
SHA256fe55702bb981a1d4f8055880472ad36a7b1cf092f1f71b6ce0602c8df3332608
SHA5124d86c0b27e9e6e8b2286eb384300668243f7db8055e476d8e4a638b6cc4c5cc2911185786104fdc7076c039bb8b972b1a17c36ab54b48685b7f7219e7114911d
-
Filesize
705B
MD5b2e65b86d1ad88afa22467a6edbb17c0
SHA173aee71f7950b00d731b1a8a00abd1e438e417a8
SHA25603aab16f9bf602e03c8d28ee4ae9184540187eff9d95f63828cd7f92d09e54f8
SHA5123427015ca65f31626493d3c93024afcf23bd42205026d3667efe4a87ebfb5cd4e6dc6292597db8d0192909afe1028ebe941007959be9a0f15ad7084d62a281a1
-
Filesize
194B
MD5fa64a6f06ffb3db7c11299aa0bab6f46
SHA10d49ae7bc6697eb7a9bd8d5fe40e830989529e34
SHA256484eb724b7ee2e4504d26dd557bb729079bf5d80919d09faa08c8743a64646f2
SHA51215572677ff4fa463b924b4e2f9d8ae4c29fcd502c8ab39fd03f216bb5d973041d934aad6852447a436f5be56447f8195bbf63e4380a95bbc297a0782d74a274f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51595792be7171fce383a2665913f4041
SHA1efbfd12852381abe4191f3402ef0f4891f952894
SHA2566028c1edddff8fc0edb6d93096fcef307545a370c43c8296f74d46af8d5cc3c6
SHA512642f5dc0b66e8e5e4a27f2f92a876497eafb4851101f566b253dc0601b2963560f6b27f73ac401411e768d8fa905390c9bed954145a38fab9574492519c22244
-
Filesize
1.9MB
MD58e079931976b660c64ddb79468d6075b
SHA1e728c1b735c98351be645a68934edad1f52e09b3
SHA256c855759c0f18039722a8c96ff1d7da64aa75aff9d72e254ae6a3f2de34c50428
SHA51236e997cb6b10099db8271303d8b3f5fcb6166104720819afb2a257071e34dddb06d6f9178145680b4aa1712fa1e03d3ba9984cc900e6b42244bf2a3e3faa67e9