Overview
overview
10Static
static
ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows10_x64
8ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows10_x64
10ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10ﱞﱞﱞ�...ﱞﱞ
windows7_x64
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10win102
windows10_x64
8win102
windows10_x64
win102
windows10_x64
8win102
windows10_x64
10win104
windows10_x64
10win104
windows10_x64
10win104
windows10_x64
8win104
windows10_x64
10win105
windows10_x64
8win105
windows10_x64
8win105
windows10_x64
10win105
windows10_x64
8win103
windows10_x64
8win103
windows10_x64
10win103
windows10_x64
10win103
windows10_x64
win101
windows10_x64
10win101
windows10_x64
8win101
windows10_x64
win101
windows10_x64
8win100
windows10_x64
8win100
windows10_x64
8win100
windows10_x64
8win100
windows10_x64
8Resubmissions
08-07-2021 12:18
210708-8z6d5h8z2n 1006-07-2021 17:53
210706-g6we6sa7sa 1019-06-2021 18:17
210619-vr8bj2dzfn 1017-06-2021 21:39
210617-a9cvlnmrbx 1011-06-2021 17:26
210611-wvab1yw2tj 1008-06-2021 06:47
210608-qrbpch3y46 1008-06-2021 06:47
210608-64tndgm1ln 1005-06-2021 18:40
210605-cd6qpr55sx 1004-06-2021 11:56
210604-5c416rs3ns 1004-06-2021 08:52
210604-jy9885jen2 10Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 17:36
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
Install2.exe
Resource
win7v20210410
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win7v20210408
Behavioral task
behavioral8
Sample
keygen-step-4d.exe
Resource
win7v20210408
Behavioral task
behavioral9
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral10
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral12
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral14
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral16
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral18
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral19
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral20
Sample
keygen-step-4d.exe
Resource
win10v20210408
Behavioral task
behavioral21
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral22
Sample
Install2.exe
Resource
win10v20210410
Behavioral task
behavioral23
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral24
Sample
keygen-step-4d.exe
Resource
win10v20210410
Behavioral task
behavioral25
Sample
Install.exe
Resource
win10v20210410
Behavioral task
behavioral26
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral27
Sample
keygen-step-4.exe
Resource
win10v20210410
Behavioral task
behavioral28
Sample
keygen-step-4d.exe
Resource
win10v20210408
Behavioral task
behavioral29
Sample
Install.exe
Resource
win10v20210408
Behavioral task
behavioral30
Sample
Install2.exe
Resource
win10v20210408
Behavioral task
behavioral31
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral32
Sample
keygen-step-4d.exe
Resource
win10v20210408
General
Malware Config
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 2192 created 4992 2192 svchost.exe app.exe PID 2192 created 6928 2192 svchost.exe app.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 62 IoCs
Processes:
MsiExec.exeMsiExec.execmd.exeMsiExec.exeMsiExec.exeflow pid process 98 5896 MsiExec.exe 100 5896 MsiExec.exe 102 5896 MsiExec.exe 104 5896 MsiExec.exe 106 5896 MsiExec.exe 107 5896 MsiExec.exe 110 5896 MsiExec.exe 111 5896 MsiExec.exe 112 5896 MsiExec.exe 113 5896 MsiExec.exe 114 5896 MsiExec.exe 115 5896 MsiExec.exe 116 5896 MsiExec.exe 118 5896 MsiExec.exe 120 5896 MsiExec.exe 121 5896 MsiExec.exe 122 5896 MsiExec.exe 123 5896 MsiExec.exe 125 5896 MsiExec.exe 126 5896 MsiExec.exe 127 5896 MsiExec.exe 129 5896 MsiExec.exe 130 5896 MsiExec.exe 131 5896 MsiExec.exe 132 5896 MsiExec.exe 133 5896 MsiExec.exe 134 5896 MsiExec.exe 135 5896 MsiExec.exe 136 5896 MsiExec.exe 137 5896 MsiExec.exe 139 5896 MsiExec.exe 140 5896 MsiExec.exe 143 5896 MsiExec.exe 144 5896 MsiExec.exe 146 5896 MsiExec.exe 147 5896 MsiExec.exe 149 5896 MsiExec.exe 150 5896 MsiExec.exe 151 5896 MsiExec.exe 152 5896 MsiExec.exe 153 5896 MsiExec.exe 154 5896 MsiExec.exe 155 5896 MsiExec.exe 156 5896 MsiExec.exe 158 5896 MsiExec.exe 159 5896 MsiExec.exe 160 5896 MsiExec.exe 163 5896 MsiExec.exe 226 5372 MsiExec.exe 230 5372 MsiExec.exe 232 5372 MsiExec.exe 234 5372 MsiExec.exe 295 4620 cmd.exe 297 4620 cmd.exe 458 6048 MsiExec.exe 462 6048 MsiExec.exe 463 6048 MsiExec.exe 465 6048 MsiExec.exe 529 5284 MsiExec.exe 530 5284 MsiExec.exe 532 5284 MsiExec.exe 533 5284 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
Processes:
Ultra.exe3316505.exe4_177039.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe File created C:\Windows\system32\drivers\etc\hosts 3316505.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 4_177039.exe -
Executes dropped EXE 64 IoCs
Processes:
xiuhuali.exeJoSetp.exeInstall.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpCucaculoxi.exeUltraMediaBurner.exeSazhilegiqi.exefilee.exe001.exeinstaller.exejg6_6asg.exehbggg.exejfiag3g_gg.exegoogle-game.exejfiag3g_gg.exesetup.execustomer1.exejfiag3g_gg.exetoolspab1.exejfiag3g_gg.exetoolspab1.exegaoou.exejfiag3g_gg.exejfiag3g_gg.exe005.exeinstaller.exe702564a0.exeapp.execmd.exeSetup3310.tmp609F.exeSetup.exedp81GdX0OrCQ.exehjjgaa.exeRunWW.exeBarSetpFile.exeConhost.exeLabPicV3.exelylal220.exejg7_7wjg.exeaskinstall38.exeapp.exe005.exeConhost.exe3316505.exe4_177039.exeAA2D.exe3298972.exeexplorer.exeWindows Host.exe5480097.exe2889215.execmd.exeirecord.exeirecord.tmpjfiag3g_gg.exeXiluzhecozhy.exeGaesojahure.exei-record.exedp81GdX0OrCQ.exepid process 2168 xiuhuali.exe 4060 JoSetp.exe 3180 Install.exe 2716 Install.tmp 2764 Ultra.exe 1636 ultramediaburner.exe 1852 ultramediaburner.tmp 3860 Cucaculoxi.exe 3472 UltraMediaBurner.exe 4144 Sazhilegiqi.exe 4288 filee.exe 5036 001.exe 4872 installer.exe 4928 jg6_6asg.exe 2772 hbggg.exe 2764 jfiag3g_gg.exe 5936 google-game.exe 6028 jfiag3g_gg.exe 5948 setup.exe 5608 customer1.exe 5804 jfiag3g_gg.exe 4232 toolspab1.exe 5392 jfiag3g_gg.exe 6068 toolspab1.exe 5700 gaoou.exe 6088 jfiag3g_gg.exe 5788 jfiag3g_gg.exe 4880 005.exe 2168 installer.exe 5856 702564a0.exe 4992 app.exe 4540 cmd.exe 3576 Setup3310.tmp 3296 609F.exe 3908 Setup.exe 4464 dp81GdX0OrCQ.exe 5500 hjjgaa.exe 5332 RunWW.exe 5392 BarSetpFile.exe 6020 Conhost.exe 1060 LabPicV3.exe 1156 lylal220.exe 5748 jg7_7wjg.exe 4848 askinstall38.exe 4820 app.exe 5448 005.exe 5196 Conhost.exe 5668 3316505.exe 4680 4_177039.exe 2960 AA2D.exe 4256 3298972.exe 4324 explorer.exe 4824 Windows Host.exe 3448 5480097.exe 4052 2889215.exe 4620 cmd.exe 5016 irecord.exe 2280 irecord.tmp 4136 jfiag3g_gg.exe 5428 Xiluzhecozhy.exe 5180 Gaesojahure.exe 2960 AA2D.exe 3976 i-record.exe 992 dp81GdX0OrCQ.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5480097.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5480097.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5480097.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Cucaculoxi.exekeygen-step-4.exegoogle-game.exeXiluzhecozhy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Cucaculoxi.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation keygen-step-4.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation google-game.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Xiluzhecozhy.exe -
Loads dropped DLL 64 IoCs
Processes:
rundll32.exeInstall.tmpinstaller.exeMsiExec.exeMsiExec.exerUNdlL32.eXeMsiExec.exetoolspab1.exeinstaller.exeMsiExec.exe702564a0.exeSetup3310.tmpMsiExec.exeMsiExec.exe005.exeConhost.exerUNdlL32.eXeRunWW.exepid process 3552 rundll32.exe 2716 Install.tmp 4872 installer.exe 4872 installer.exe 4872 installer.exe 5424 MsiExec.exe 5424 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 4428 rUNdlL32.eXe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 5896 MsiExec.exe 4872 installer.exe 5896 MsiExec.exe 5896 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 5460 MsiExec.exe 6068 toolspab1.exe 5896 MsiExec.exe 2168 installer.exe 2168 installer.exe 2168 installer.exe 5264 MsiExec.exe 5264 MsiExec.exe 5856 702564a0.exe 3576 Setup3310.tmp 3576 Setup3310.tmp 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 5372 MsiExec.exe 2168 installer.exe 5372 MsiExec.exe 5372 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5848 MsiExec.exe 5372 MsiExec.exe 5448 005.exe 5196 Conhost.exe 3832 rUNdlL32.eXe 5332 RunWW.exe 5332 RunWW.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
Ultra.exegaoou.exeexplorer.exe4_177039.exe183A.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Kalaecolapo.exe\"" Ultra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gaoou.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\UltraMediaBurner\\Nawilalufe.exe\"" 4_177039.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Windows\\System\\svchost.exe" 183A.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg6_6asg.exe5480097.exejg7_7wjg.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5480097.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg7_7wjg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
installer.exeSetup3310.tmpmsiexec.exeinstaller.exeinstaller.exedescription ioc process File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\N: Setup3310.tmp File opened (read-only) \??\W: Setup3310.tmp File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: Setup3310.tmp File opened (read-only) \??\E: Setup3310.tmp File opened (read-only) \??\H: Setup3310.tmp File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\A: Setup3310.tmp File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\B: Setup3310.tmp File opened (read-only) \??\T: Setup3310.tmp File opened (read-only) \??\M: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\O: Setup3310.tmp File opened (read-only) \??\P: Setup3310.tmp File opened (read-only) \??\P: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\G: Setup3310.tmp File opened (read-only) \??\Q: Setup3310.tmp File opened (read-only) \??\U: Setup3310.tmp File opened (read-only) \??\G: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: Setup3310.tmp File opened (read-only) \??\H: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\V: Setup3310.tmp File opened (read-only) \??\R: installer.exe File opened (read-only) \??\J: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 68 ip-api.com 207 ipinfo.io 210 ipinfo.io 309 ip-api.com 500 ipinfo.io 502 ipinfo.io -
Drops file in System32 directory 10 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 8F39B242D864D1FE svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 276C04E8BD707D6C svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
5480097.exepid process 3448 5480097.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
svchost.exetoolspab1.exedp81GdX0OrCQ.exetoolspab1.exewdejghewdejghe35BB.exewdejghedescription pid process target process PID 3292 set thread context of 2960 3292 svchost.exe svchost.exe PID 3292 set thread context of 2456 3292 svchost.exe svchost.exe PID 4232 set thread context of 6068 4232 toolspab1.exe toolspab1.exe PID 4464 set thread context of 992 4464 dp81GdX0OrCQ.exe dp81GdX0OrCQ.exe PID 6972 set thread context of 4444 6972 toolspab1.exe toolspab1.exe PID 6384 set thread context of 1356 6384 wdejghe wdejghe PID 5952 set thread context of 3192 5952 wdejghe wdejghe PID 1640 set thread context of 6124 1640 35BB.exe 35BB.exe PID 10100 set thread context of 9700 10100 wdejghe wdejghe -
Drops file in Program Files directory 64 IoCs
Processes:
ultramediaburner.tmpUltra.exemsiexec.exeirecord.tmpxiuhuali.exeSetup.exeSetup.exe4_177039.exejg7_7wjg.exedescription ioc process File created C:\Program Files (x86)\UltraMediaBurner\is-8A0I8.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MSBuild\Kalaecolapo.exe Ultra.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files (x86)\recording\unins000.dat irecord.tmp File created C:\Program Files (x86)\recording\is-SS7MQ.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-0G5LE.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-T2APF.tmp irecord.tmp File created C:\Program Files\install.dat xiuhuali.exe File created C:\Program Files\install.dll xiuhuali.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\i-record.exe irecord.tmp File opened for modification C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\swscale-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe Setup.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe 4_177039.exe File created C:\Program Files (x86)\recording\is-B1HGQ.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-1TLIF.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe Setup.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe Setup.exe File created C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\recording\avdevice-53.dll irecord.tmp File created C:\Program Files (x86)\recording\is-GFJUI.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\d jg7_7wjg.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\MSBuild\Kalaecolapo.exe.config Ultra.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\recording\avfilter-2.dll irecord.tmp File created C:\Program Files (x86)\recording\is-2UVSD.tmp irecord.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File opened for modification C:\Program Files (x86)\recording\AForge.Video.dll irecord.tmp File created C:\Program Files (x86)\recording\is-C40N3.tmp irecord.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe.config 4_177039.exe File opened for modification C:\Program Files (x86)\recording\avformat-53.dll irecord.tmp File created C:\Program Files (x86)\UltraMediaBurner\Nawilalufe.exe 4_177039.exe File created C:\Program Files (x86)\recording\is-V4BG0.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\d.INTEG.RAW jg7_7wjg.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\avcodec-53.dll irecord.tmp File created C:\Program Files (x86)\recording\is-2QM3Q.tmp irecord.tmp File created C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe.config Ultra.exe File created C:\Program Files (x86)\recording\is-MV5I9.tmp irecord.tmp File opened for modification C:\Program Files (x86)\recording\avutil-51.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\swresample-0.dll irecord.tmp File created C:\Program Files (x86)\Data Finder\Versium Research\d jg7_7wjg.exe File created C:\Program Files (x86)\Data Finder\Versium Research\tmp.edb jg7_7wjg.exe File created C:\Program Files (x86)\Data Finder\Versium Research\d.jfm jg7_7wjg.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\postproc-52.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\unins000.exe irecord.tmp File created C:\Program Files (x86)\recording\is-8IOJU.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-KG235.tmp irecord.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-TV7VG.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\unins000.dat irecord.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\d.jfm jg7_7wjg.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\recording\is-PH681.tmp irecord.tmp -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exesvchost.exe183A.exeWerFault.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Installer\MSI45F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI739C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8297.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E80.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI37F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5EB9.tmp msiexec.exe File opened for modification C:\Windows\System\libgcc_s_sjlj-1.dll svchost.exe File opened for modification C:\Windows\Installer\MSI846D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5D51.tmp msiexec.exe File created C:\Windows\System\xxx1.bak 183A.exe File opened for modification C:\Windows\System\svchost.exe 183A.exe File opened for modification C:\Windows\System\libcrypto-1_1.dll svchost.exe File opened for modification C:\Windows\Installer\MSI41CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICFE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\System\spoolsv.tar svchost.exe File opened for modification C:\Windows\Installer\MSI8847.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D65.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9F41.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3697.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI42B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7900.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI387E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6093.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6005.tmp msiexec.exe File opened for modification C:\Windows\System\libssp-0.dll svchost.exe File opened for modification C:\Windows\Installer\MSI78A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5B58.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA574.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5C16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6752.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA39B.tmp msiexec.exe File opened for modification C:\Windows\System\libevent-2-1-7.dll svchost.exe File opened for modification C:\Windows\Installer\MSI8913.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI955A.tmp msiexec.exe File created C:\Windows\System\svchost.exe 183A.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8DE3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9440.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA3CB.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI64AE.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI976F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI39F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI93F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI48A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI96A3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5EE9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6401.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI139A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI490F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9373.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6703.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI87B4.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA2DE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5D02.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5468 4052 WerFault.exe 2889215.exe 2956 296 WerFault.exe MicrosoftEdgeCP.exe -
Checks SCSI registry key(s) 3 TTPs 30 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wdejghesiejghesiejghesiejghetoolspab1.exetoolspab1.exe702564a0.exewdejghe702564a0.exewdejghedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wdejghe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI siejghe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exeRunWW.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RunWW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RunWW.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6584 timeout.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2188 taskkill.exe 4372 taskkill.exe 4292 taskkill.exe 5028 taskkill.exe 844 taskkill.exe 6580 taskkill.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
app.exeapp.exemsiexec.exesvchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" app.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" app.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" app.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" app.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\specimen.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "171" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info\Total = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reckless.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "70" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 61c6a8330d4cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\Total = "18" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\sickness.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "328141383" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\sms.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\declaration.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\moment.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\declaration.netflowcorp.com = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\addicted.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\presence.netflowcorp.com MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f4562dbb0d4cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fce12f130e4cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "190" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\read.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\memo.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\note.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\conflict.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\read.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "10" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\note.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\password.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\message.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\new.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\acnav.online\NumberOfSubdom = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{04BCBF3C-EAF8-4E75-A858-804E41367F62} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "9" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\big.netflowcorp.com MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\minimize.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\strength.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\tropical.netflowcorp.com MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\readnow.netflowcorp.com\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowcorp.com\NumberOfSubdom = "79" MicrosoftEdgeCP.exe -
Processes:
filee.exeinstaller.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 filee.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e filee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 4324 PING.EXE 5124 PING.EXE 4624 PING.EXE -
Script User-Agent 16 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 518 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 520 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 208 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 323 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 228 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 514 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 517 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 216 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 224 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 501 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 502 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 504 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 515 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 210 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 222 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 313 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exesvchost.exeultramediaburner.tmpSazhilegiqi.exepid process 3552 rundll32.exe 3552 rundll32.exe 3292 svchost.exe 3292 svchost.exe 1852 ultramediaburner.tmp 1852 ultramediaburner.tmp 3292 svchost.exe 3292 svchost.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe 4144 Sazhilegiqi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
toolspab1.exe702564a0.exeMicrosoftEdgeCP.exeexplorer.exeexplorer.exeexplorer.exetoolspab1.exe702564a0.exepid process 6068 toolspab1.exe 5856 702564a0.exe 6572 MicrosoftEdgeCP.exe 6572 MicrosoftEdgeCP.exe 3036 3036 3036 3036 3036 3036 3036 3036 6824 explorer.exe 6824 explorer.exe 6824 explorer.exe 6824 explorer.exe 6824 explorer.exe 6824 explorer.exe 3036 3036 3036 3036 6424 explorer.exe 6424 explorer.exe 6424 explorer.exe 6424 explorer.exe 6424 explorer.exe 6424 explorer.exe 3036 3036 3036 3036 6164 explorer.exe 6164 explorer.exe 6164 explorer.exe 6164 explorer.exe 6164 explorer.exe 6164 explorer.exe 3036 3036 4444 toolspab1.exe 6424 explorer.exe 6424 explorer.exe 6824 explorer.exe 6824 explorer.exe 6164 explorer.exe 6164 explorer.exe 6424 explorer.exe 6424 explorer.exe 6164 explorer.exe 6164 explorer.exe 6824 explorer.exe 6824 explorer.exe 3884 702564a0.exe 6824 explorer.exe 6824 explorer.exe 6164 explorer.exe 6164 explorer.exe 6424 explorer.exe 6424 explorer.exe 6572 MicrosoftEdgeCP.exe 6572 MicrosoftEdgeCP.exe 6164 explorer.exe 6164 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
rundll32.exesvchost.exeJoSetp.exeUltra.exesvchost.exeCucaculoxi.exeSazhilegiqi.exesvchost.exedescription pid process Token: SeDebugPrivilege 3552 rundll32.exe Token: SeTcbPrivilege 3292 svchost.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 4060 JoSetp.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 2764 Ultra.exe Token: SeTcbPrivilege 3292 svchost.exe Token: SeAuditPrivilege 2424 svchost.exe Token: SeDebugPrivilege 3860 Cucaculoxi.exe Token: SeDebugPrivilege 4144 Sazhilegiqi.exe Token: SeAssignPrimaryTokenPrivilege 2724 svchost.exe Token: SeIncreaseQuotaPrivilege 2724 svchost.exe Token: SeSecurityPrivilege 2724 svchost.exe Token: SeTakeOwnershipPrivilege 2724 svchost.exe Token: SeLoadDriverPrivilege 2724 svchost.exe Token: SeSystemtimePrivilege 2724 svchost.exe Token: SeBackupPrivilege 2724 svchost.exe Token: SeRestorePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeSystemEnvironmentPrivilege 2724 svchost.exe Token: SeUndockPrivilege 2724 svchost.exe Token: SeManageVolumePrivilege 2724 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2724 svchost.exe Token: SeIncreaseQuotaPrivilege 2724 svchost.exe Token: SeSecurityPrivilege 2724 svchost.exe Token: SeTakeOwnershipPrivilege 2724 svchost.exe Token: SeLoadDriverPrivilege 2724 svchost.exe Token: SeSystemtimePrivilege 2724 svchost.exe Token: SeBackupPrivilege 2724 svchost.exe Token: SeRestorePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeSystemEnvironmentPrivilege 2724 svchost.exe Token: SeUndockPrivilege 2724 svchost.exe Token: SeManageVolumePrivilege 2724 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2724 svchost.exe Token: SeIncreaseQuotaPrivilege 2724 svchost.exe Token: SeSecurityPrivilege 2724 svchost.exe Token: SeTakeOwnershipPrivilege 2724 svchost.exe Token: SeLoadDriverPrivilege 2724 svchost.exe Token: SeSystemtimePrivilege 2724 svchost.exe Token: SeBackupPrivilege 2724 svchost.exe Token: SeRestorePrivilege 2724 svchost.exe Token: SeShutdownPrivilege 2724 svchost.exe Token: SeSystemEnvironmentPrivilege 2724 svchost.exe Token: SeUndockPrivilege 2724 svchost.exe Token: SeManageVolumePrivilege 2724 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2724 svchost.exe Token: SeIncreaseQuotaPrivilege 2724 svchost.exe Token: SeSecurityPrivilege 2724 svchost.exe Token: SeTakeOwnershipPrivilege 2724 svchost.exe Token: SeLoadDriverPrivilege 2724 svchost.exe Token: SeSystemtimePrivilege 2724 svchost.exe Token: SeBackupPrivilege 2724 svchost.exe Token: SeRestorePrivilege 2724 svchost.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
ultramediaburner.tmpinstaller.exeinstaller.exeSetup3310.tmpirecord.tmpSetup3310.tmpinstaller.exepid process 1852 ultramediaburner.tmp 4872 installer.exe 2168 installer.exe 3576 Setup3310.tmp 3036 3036 2280 irecord.tmp 4200 Setup3310.tmp 4940 installer.exe 4200 Setup3310.tmp -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
xiuhuali.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe609F.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 2168 xiuhuali.exe 2168 xiuhuali.exe 4728 MicrosoftEdge.exe 5052 MicrosoftEdgeCP.exe 5052 MicrosoftEdgeCP.exe 3296 609F.exe 4312 MicrosoftEdge.exe 6572 MicrosoftEdgeCP.exe 6572 MicrosoftEdgeCP.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3036 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
keygen-step-4.exexiuhuali.exerundll32.exesvchost.exeInstall.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpSazhilegiqi.execmd.exefilee.execmd.execmd.exedescription pid process target process PID 3992 wrote to memory of 2168 3992 keygen-step-4.exe xiuhuali.exe PID 3992 wrote to memory of 2168 3992 keygen-step-4.exe xiuhuali.exe PID 3992 wrote to memory of 2168 3992 keygen-step-4.exe xiuhuali.exe PID 2168 wrote to memory of 3552 2168 xiuhuali.exe rundll32.exe PID 2168 wrote to memory of 3552 2168 xiuhuali.exe rundll32.exe PID 2168 wrote to memory of 3552 2168 xiuhuali.exe rundll32.exe PID 3992 wrote to memory of 4060 3992 keygen-step-4.exe JoSetp.exe PID 3992 wrote to memory of 4060 3992 keygen-step-4.exe JoSetp.exe PID 3552 wrote to memory of 3292 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 2852 3552 rundll32.exe svchost.exe PID 3292 wrote to memory of 2960 3292 svchost.exe svchost.exe PID 3292 wrote to memory of 2960 3292 svchost.exe svchost.exe PID 3292 wrote to memory of 2960 3292 svchost.exe svchost.exe PID 3552 wrote to memory of 68 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 2432 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 2424 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 1064 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 676 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 1404 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 1820 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 1184 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 1224 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 2724 3552 rundll32.exe svchost.exe PID 3552 wrote to memory of 2740 3552 rundll32.exe svchost.exe PID 3992 wrote to memory of 3180 3992 keygen-step-4.exe Install.exe PID 3992 wrote to memory of 3180 3992 keygen-step-4.exe Install.exe PID 3992 wrote to memory of 3180 3992 keygen-step-4.exe Install.exe PID 3180 wrote to memory of 2716 3180 Install.exe Install.tmp PID 3180 wrote to memory of 2716 3180 Install.exe Install.tmp PID 3180 wrote to memory of 2716 3180 Install.exe Install.tmp PID 2716 wrote to memory of 2764 2716 Install.tmp Ultra.exe PID 2716 wrote to memory of 2764 2716 Install.tmp Ultra.exe PID 2764 wrote to memory of 1636 2764 Ultra.exe ultramediaburner.exe PID 2764 wrote to memory of 1636 2764 Ultra.exe ultramediaburner.exe PID 2764 wrote to memory of 1636 2764 Ultra.exe ultramediaburner.exe PID 1636 wrote to memory of 1852 1636 ultramediaburner.exe ultramediaburner.tmp PID 1636 wrote to memory of 1852 1636 ultramediaburner.exe ultramediaburner.tmp PID 1636 wrote to memory of 1852 1636 ultramediaburner.exe ultramediaburner.tmp PID 2764 wrote to memory of 3860 2764 Ultra.exe Cucaculoxi.exe PID 2764 wrote to memory of 3860 2764 Ultra.exe Cucaculoxi.exe PID 3292 wrote to memory of 2456 3292 svchost.exe svchost.exe PID 3292 wrote to memory of 2456 3292 svchost.exe svchost.exe PID 3292 wrote to memory of 2456 3292 svchost.exe svchost.exe PID 1852 wrote to memory of 3472 1852 ultramediaburner.tmp UltraMediaBurner.exe PID 1852 wrote to memory of 3472 1852 ultramediaburner.tmp UltraMediaBurner.exe PID 2764 wrote to memory of 4144 2764 Ultra.exe Sazhilegiqi.exe PID 2764 wrote to memory of 4144 2764 Ultra.exe Sazhilegiqi.exe PID 3992 wrote to memory of 4288 3992 keygen-step-4.exe filee.exe PID 3992 wrote to memory of 4288 3992 keygen-step-4.exe filee.exe PID 3992 wrote to memory of 4288 3992 keygen-step-4.exe filee.exe PID 4144 wrote to memory of 4924 4144 Sazhilegiqi.exe cmd.exe PID 4144 wrote to memory of 4924 4144 Sazhilegiqi.exe cmd.exe PID 4924 wrote to memory of 5036 4924 cmd.exe 001.exe PID 4924 wrote to memory of 5036 4924 cmd.exe 001.exe PID 4924 wrote to memory of 5036 4924 cmd.exe 001.exe PID 4288 wrote to memory of 2756 4288 filee.exe cmd.exe PID 4288 wrote to memory of 2756 4288 filee.exe cmd.exe PID 4288 wrote to memory of 2756 4288 filee.exe cmd.exe PID 4144 wrote to memory of 3392 4144 Sazhilegiqi.exe cmd.exe PID 4144 wrote to memory of 3392 4144 Sazhilegiqi.exe cmd.exe PID 2756 wrote to memory of 4324 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 4324 2756 cmd.exe PING.EXE PID 2756 wrote to memory of 4324 2756 cmd.exe PING.EXE PID 3392 wrote to memory of 4872 3392 cmd.exe installer.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1184
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2740
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2852
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2432
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1820
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1224
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1064
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:676 -
C:\Users\Admin\AppData\Roaming\siejgheC:\Users\Admin\AppData\Roaming\siejghe2⤵
- Checks SCSI registry key(s)
PID:2960 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe2⤵
- Suspicious use of SetThreadContext
PID:6384 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe3⤵
- Checks SCSI registry key(s)
PID:1356 -
C:\Users\Admin\AppData\Roaming\siejgheC:\Users\Admin\AppData\Roaming\siejghe2⤵
- Checks SCSI registry key(s)
PID:1500 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe2⤵
- Suspicious use of SetThreadContext
PID:5952 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe3⤵
- Checks SCSI registry key(s)
PID:3192 -
C:\Users\Admin\AppData\Roaming\siejgheC:\Users\Admin\AppData\Roaming\siejghe2⤵
- Checks SCSI registry key(s)
PID:9888 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe2⤵
- Suspicious use of SetThreadContext
PID:10100 -
C:\Users\Admin\AppData\Roaming\wdejgheC:\Users\Admin\AppData\Roaming\wdejghe3⤵
- Checks SCSI registry key(s)
PID:9700
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:68
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\is-LN4OT.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-LN4OT.tmp\Install.tmp" /SL5="$40146,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\is-HK97U.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-HK97U.tmp\Ultra.exe" /S /UID=burnerch14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe"C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-PCMQQ.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-PCMQQ.tmp\ultramediaburner.tmp" /SL5="$201D6,281924,62464,C:\Program Files\Reference Assemblies\SFLFKNWVEU\ultramediaburner.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu7⤵
- Executes dropped EXE
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\25-95b40-068-be2b0-4ea4a726e2da3\Cucaculoxi.exe"C:\Users\Admin\AppData\Local\Temp\25-95b40-068-be2b0-4ea4a726e2da3\Cucaculoxi.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\ab-20652-cb3-3f998-c16c318c3fa14\Sazhilegiqi.exe"C:\Users\Admin\AppData\Local\Temp\ab-20652-cb3-3f998-c16c318c3fa14\Sazhilegiqi.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exe & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exeC:\Users\Admin\AppData\Local\Temp\s553volp.pac\001.exe7⤵
- Executes dropped EXE
PID:5036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe /qn CAMPAIGN="654" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exeC:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe /qn CAMPAIGN="654"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:4872 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gv0hsr3i.bjk\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵PID:5444
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exe & exit6⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exeC:\Users\Admin\AppData\Local\Temp\3ickc32s.asr\hbggg.exe7⤵
- Executes dropped EXE
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:7404
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:5776
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exe & exit6⤵PID:5784
-
C:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exeC:\Users\Admin\AppData\Local\Temp\irbhm5qp.wa1\google-game.exe7⤵
- Executes dropped EXE
- Checks computer location settings
PID:5936 -
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser8⤵
- Loads dropped DLL
PID:4428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe & exit6⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exeC:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe7⤵
- Executes dropped EXE
PID:5948 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\zkpnx2yf.rti\setup.exe"8⤵PID:3636
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30009⤵
- Runs ping.exe
PID:5124 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exe & exit6⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exeC:\Users\Admin\AppData\Local\Temp\lnqj5vgc.1zu\customer1.exe7⤵
- Executes dropped EXE
PID:5608 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:5804 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:5392 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:2256
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:7308
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe & exit6⤵PID:4400
-
C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\50rmamqx.kqv\toolspab1.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cpf2m5y1.ayw\GcleanerWW.exe /mixone & exit6⤵PID:1080
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exe & exit6⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exeC:\Users\Admin\AppData\Local\Temp\t3u2yo5z.3cd\005.exe7⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe /qn CAMPAIGN="654" & exit6⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exeC:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe /qn CAMPAIGN="654"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2168 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\kkqgjqtj.11q\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵PID:3220
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exe & exit6⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exeC:\Users\Admin\AppData\Local\Temp\veyd4mnu.z3s\702564a0.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5856 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe /8-2222 & exit6⤵PID:5400
-
C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exeC:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe /8-22227⤵
- Executes dropped EXE
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe"C:\Users\Admin\AppData\Local\Temp\btbpi4c3.ija\app.exe" /8-22228⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe /Verysilent /subid=623 & exit6⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe /Verysilent /subid=6237⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\is-MQVUB.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-MQVUB.tmp\Setup3310.tmp" /SL5="$3036A,138429,56832,C:\Users\Admin\AppData\Local\Temp\d2z1i3md.e3q\Setup3310.exe" /Verysilent /subid=6238⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\is-U6C08.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-U6C08.tmp\Setup.exe" /Verysilent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3908 -
C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464 -
C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"C:\Program Files (x86)\Data Finder\Versium Research\dp81GdX0OrCQ.exe"11⤵
- Executes dropped EXE
PID:992 -
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit11⤵PID:4804
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f12⤵
- Kills process with taskkill
PID:5028 -
C:\Windows\SysWOW64\timeout.exetimeout /t 612⤵
- Delays execution with timeout.exe
PID:6584 -
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"10⤵
- Executes dropped EXE
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\is-GBBTK.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-GBBTK.tmp\LabPicV3.tmp" /SL5="$303B2,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"11⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\is-AFUSC.tmp\3316505.exe"C:\Users\Admin\AppData\Local\Temp\is-AFUSC.tmp\3316505.exe" /S /UID=lab21412⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:5668 -
C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"10⤵
- Executes dropped EXE
PID:4848 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe11⤵PID:5320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe12⤵
- Kills process with taskkill
PID:4292 -
C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:5748 -
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"10⤵
- Executes dropped EXE
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\is-B43SB.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-B43SB.tmp\lylal220.tmp" /SL5="$503A2,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"11⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\is-HEI65.tmp\4_177039.exe"C:\Users\Admin\AppData\Local\Temp\is-HEI65.tmp\4_177039.exe" /S /UID=lylal22012⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4680 -
C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe"C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe" /VERYSILENT13⤵
- Executes dropped EXE
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\is-98TUG.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-98TUG.tmp\irecord.tmp" /SL5="$501FA,6139911,56832,C:\Program Files\7-Zip\XXAQELTLBR\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2280 -
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu15⤵
- Executes dropped EXE
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\d7-9f075-c5e-53981-349c2d6af9ff5\Xiluzhecozhy.exe"C:\Users\Admin\AppData\Local\Temp\d7-9f075-c5e-53981-349c2d6af9ff5\Xiluzhecozhy.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\fd-573c4-b27-4afa9-231c711d83fb7\Gaesojahure.exe"C:\Users\Admin\AppData\Local\Temp\fd-573c4-b27-4afa9-231c711d83fb7\Gaesojahure.exe"13⤵
- Executes dropped EXE
PID:5180 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exe & exit14⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exeC:\Users\Admin\AppData\Local\Temp\f4xs5wgm.gyp\001.exe15⤵PID:4888
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe /qn CAMPAIGN="654" & exit14⤵PID:4760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exeC:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe /qn CAMPAIGN="654"15⤵PID:4200
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b0nx0npz.k4i\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"16⤵PID:6480
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exe & exit14⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exeC:\Users\Admin\AppData\Local\Temp\0vg5m1nl.tut\hbggg.exe15⤵PID:6204
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:6452
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:6900
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:4200
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:7528
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exe & exit14⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exeC:\Users\Admin\AppData\Local\Temp\tizfikwu.jlu\google-game.exe15⤵PID:6824
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser16⤵PID:3160
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe & exit14⤵PID:6456
-
C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exeC:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe15⤵PID:5024
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\smh30qga.u35\setup.exe"16⤵PID:2240
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300017⤵
- Runs ping.exe
PID:4624 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exe & exit14⤵
- Executes dropped EXE
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exeC:\Users\Admin\AppData\Local\Temp\g4ftdego.q5z\customer1.exe15⤵PID:7056
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:3912
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:7292
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:1548
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe & exit14⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe15⤵
- Suspicious use of SetThreadContext
PID:6972 -
C:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\bvp252jr.ykl\toolspab1.exe16⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4444 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5f4so4fs.lh4\GcleanerWW.exe /mixone & exit14⤵PID:6332
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exe & exit14⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exeC:\Users\Admin\AppData\Local\Temp\ahjchds3.3si\005.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe /qn CAMPAIGN="654" & exit14⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exeC:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe /qn CAMPAIGN="654"15⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4940 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\2rbdfaey.u1j\ EXE_CMD_LINE="/forcecleanup /wintime 1621100367 /qn CAMPAIGN=""654"" " CAMPAIGN="654"16⤵PID:6420
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exe & exit14⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exeC:\Users\Admin\AppData\Local\Temp\yrfqw3dt.o3k\702564a0.exe15⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe /8-2222 & exit14⤵PID:3356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV115⤵
- Executes dropped EXE
PID:6020 -
C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exeC:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe /8-222215⤵PID:6928
-
C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe"C:\Users\Admin\AppData\Local\Temp\zeoblxl5.uqz\app.exe" /8-222216⤵
- Modifies data under HKEY_USERS
PID:1880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe /Verysilent /subid=623 & exit14⤵PID:6808
-
C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe /Verysilent /subid=62315⤵PID:6596
-
C:\Users\Admin\AppData\Local\Temp\is-82JT2.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-82JT2.tmp\Setup3310.tmp" /SL5="$70470,138429,56832,C:\Users\Admin\AppData\Local\Temp\5x5gwher.crc\Setup3310.exe" /Verysilent /subid=62316⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\is-K3DG8.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-K3DG8.tmp\Setup.exe" /Verysilent17⤵
- Drops file in Program Files directory
PID:4744 -
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"10⤵PID:6020
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install11⤵
- Loads dropped DLL
PID:3832 -
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"10⤵
- Executes dropped EXE
PID:5392 -
C:\Users\Admin\AppData\Roaming\3298972.exe"C:\Users\Admin\AppData\Roaming\3298972.exe"11⤵
- Executes dropped EXE
PID:4256 -
C:\Users\Admin\AppData\Roaming\2548499.exe"C:\Users\Admin\AppData\Roaming\2548499.exe"11⤵PID:4324
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"12⤵
- Executes dropped EXE
PID:4824 -
C:\Users\Admin\AppData\Roaming\5480097.exe"C:\Users\Admin\AppData\Roaming\5480097.exe"11⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3448 -
C:\Users\Admin\AppData\Roaming\2889215.exe"C:\Users\Admin\AppData\Roaming\2889215.exe"11⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 194012⤵
- Drops file in Windows directory
- Program crash
PID:5468 -
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"10⤵
- Executes dropped EXE
PID:5500 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
- Executes dropped EXE
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵PID:6188
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵PID:4028
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL3⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5700 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:5788 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:580
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵PID:2264
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2960 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2456
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4728
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4828
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5052
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4800
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5164
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5156 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D7DEF1FD6EE30F073481B3291C833B92 C2⤵
- Loads dropped DLL
PID:5424 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1E5665A868543128306906FDA6AB4F02⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5896 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:2188 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BFD60357CF001D17D81AD1A080631AD8 E Global\MSI00002⤵
- Loads dropped DLL
PID:5460 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 40ACF6CFD921E583E4AEC43727486C80 C2⤵
- Loads dropped DLL
PID:5264 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B962420A81DA5BC49094551A23E4E8292⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5372 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:4372 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 35F469329207CAAB4E2080F8C1F1E032 E Global\MSI00002⤵
- Loads dropped DLL
PID:5848 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EDCAFCEC10791EF8F759801DF3A99EF3 C2⤵PID:6176
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0C43129E60EF442A2233BC24757484642⤵
- Blocklisted process makes network request
PID:6048 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:844 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4948
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A2F0802D209EAFC209BA64EB6920B06D E Global\MSI00002⤵PID:6296
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 422DADA362AFC3E8405A08931DBB1044 C2⤵PID:5472
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FE8A9E9A6486B64AEE4C4A6B85B522892⤵
- Blocklisted process makes network request
PID:5284 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:6580 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A37B7C8D89D50CC1174E2157062D8E48 E Global\MSI00002⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\609F.exeC:\Users\Admin\AppData\Local\Temp\609F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3296
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2192
-
C:\Users\Admin\AppData\Local\Temp\9FCC.exeC:\Users\Admin\AppData\Local\Temp\9FCC.exe1⤵PID:4620
-
C:\Users\Admin\AppData\Local\Temp\AA2D.exeC:\Users\Admin\AppData\Local\Temp\AA2D.exe1⤵
- Executes dropped EXE
PID:2960
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4312
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4980
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6572
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6828
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6860
-
C:\Users\Admin\AppData\Local\Temp\183A.exeC:\Users\Admin\AppData\Local\Temp\183A.exe1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:6728 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true2⤵PID:6152
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Drops file in Windows directory
PID:4172 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true3⤵PID:5696
-
C:\Windows\System\spoolsv.exe"C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 03⤵PID:6600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6152
-
C:\Users\Admin\AppData\Local\Temp\1DD9.exeC:\Users\Admin\AppData\Local\Temp\1DD9.exe1⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\21E1.exeC:\Users\Admin\AppData\Local\Temp\21E1.exe1⤵PID:6452
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3856
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5080
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4324
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:6824
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2324
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:6424
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6632
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:6164
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6544
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5940
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6708
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5216
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7460
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:296
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 296 -s 19322⤵
- Program crash
PID:2956
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6432
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:64
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3972
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:416
-
C:\Users\Admin\AppData\Local\Temp\35BB.exeC:\Users\Admin\AppData\Local\Temp\35BB.exe1⤵
- Suspicious use of SetThreadContext
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\35BB.exeC:\Users\Admin\AppData\Local\Temp\35BB.exe2⤵PID:6124
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:580
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:9992
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7124be0b78b9f4976a9f78aaeaed893a
SHA1804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA51249f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3
-
MD5
7124be0b78b9f4976a9f78aaeaed893a
SHA1804f3e4b3f9131be5337b706d5a9ea6fcfa53e25
SHA256bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3
SHA51249f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3
-
MD5
6103ca066cd5345ec41feaf1a0fdadaf
SHA1938acc555933ee4887629048be4b11df76bb8de8
SHA256b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3
-
MD5
6103ca066cd5345ec41feaf1a0fdadaf
SHA1938acc555933ee4887629048be4b11df76bb8de8
SHA256b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201
SHA512a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3
-
MD5
806c3221a013fec9530762750556c332
SHA136475bcfd0a18555d7c0413d007bbe80f7d321b5
SHA2569bcecc5fb84d21db673c81a7ed1d10b28686b8261f79136f748ab7bbad7752f7
SHA51256bbaafe7b0883f4e5dcff00ae69339a3b81ac8ba90b304aeab3e4e7e7523b568fd9b269241fc38a39f74894084f1f252a91c22b79cc0a16f9e135859a13145e
-
MD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD569e2548890c68194a1b3f7c2bf5c580d
SHA10e791dac689151ebba93f971e6aa306ad25dfc42
SHA256d2d97149c0a42f419c03f78020389a03d23e66797cf6fdc9d3b0c7553e47afc0
SHA512da597e5aeb0a57465f030439193f904e8cc4518e4c8d9e46a0306d6e69a2182cf6cab696c6a0ceba13236db1046e801c58fdfcec6842fd302c07277f1c0589f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5aaa2005db4caa5ba49022cf488b27f23
SHA1c62806a77080d5bdf3812a2a5c2eea89f7a5d000
SHA25652ccf55eebd409ef86a9e7b146834851f7e3d8084729568785d4eafde933ebfe
SHA51208508a1d49ac6dc853f57b6a8c71ab90735307a56a1cb8781d5b7beda5e1129c88dd379b41fb0a80b86ea1db2759a630d84aee8356034908b227e8002a2ad806
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD551beb5d04ee32e8db88506df2c32be54
SHA1647b07d0ba8abbc4a86dec72e6d30b71adad19b1
SHA256505ea4594fbc0d51b48227c6358385c3e93fee7461341cdeb2bf62d24bc5e642
SHA512ce64a6f7a5d943f941c6abbd96c141fe901384049a5ff55f416571b6e48d8163f0522b42f9015d57c7f4d8b41b0508b2326e66a27fffea2e3d4a161d4182e6fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5ad506e8baa58deb73f99d2c33cccbab9
SHA1a312bd56f6816d2a3f25b1cf2641c9ef2c6c09c3
SHA256d4b57136e2425e39908791d10401b468d66da92358757346fa9abbece9e1b8aa
SHA512a4f7413196b4771421a569e82f9156a7eb38d93dca99da6278e8104a4951d3147a992c3b3aadeb0ded4ae9cb257e7597646602ccfdfa30530690421c356bd0f4
-
MD5
8cafd4f3902a7a908fb7aa7fcf113286
SHA1c9a1954ad5fa282f5afe2a9804633a2e2616a579
SHA256a23513166b89d87d1f7bebcffa835101bc29a433af6bfd52e6b971232d3c2dec
SHA5127cc4d632ca7d2292cccf499d8950888f344971a586b025231b8a090f9872369572aa4dc99a38e550af3b910d7ab66dcb8034a117e65cdc483dd8c4f3c839cbd4
-
MD5
e9c7d1f6a5e11242bf93c619998f0bfc
SHA168f0e0f12e7da5db55dfe74870ccc101eba46fa5
SHA2568d998a652deed6704f4bda839aab75a2c95a7f02fa809daefc0dcb9dd40adf19
SHA512a514f3bf1dde515002f74593409f15487ed7a47c2d57b6c50a4037018aa9a97c5d6eb3c36daf3e7a7e3e6e2a891a75dd8784ff50cccff9a967e29f7fe6247070
-
MD5
e9c7d1f6a5e11242bf93c619998f0bfc
SHA168f0e0f12e7da5db55dfe74870ccc101eba46fa5
SHA2568d998a652deed6704f4bda839aab75a2c95a7f02fa809daefc0dcb9dd40adf19
SHA512a514f3bf1dde515002f74593409f15487ed7a47c2d57b6c50a4037018aa9a97c5d6eb3c36daf3e7a7e3e6e2a891a75dd8784ff50cccff9a967e29f7fe6247070
-
MD5
98d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
MD5
e6f6fd13001b8df1af345df56caba5de
SHA14639598a1b7f83eab1d8c6b1007d4defb2dde0ba
SHA256be9e8c5b72df9c0f418a12cef658764322972c7338e285f6c53152330a4d69ab
SHA5122809c8f0f88bb1f62fba6afcfda707db6cabe4867642d14e3081d10a2a240eb75788ba535b3cb9cd19748f46635ff8921d1ec7526b7973d613ba038abeb758e4
-
MD5
e6f6fd13001b8df1af345df56caba5de
SHA14639598a1b7f83eab1d8c6b1007d4defb2dde0ba
SHA256be9e8c5b72df9c0f418a12cef658764322972c7338e285f6c53152330a4d69ab
SHA5122809c8f0f88bb1f62fba6afcfda707db6cabe4867642d14e3081d10a2a240eb75788ba535b3cb9cd19748f46635ff8921d1ec7526b7973d613ba038abeb758e4
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
MD5
41a5f4fd1ea7cac4aa94a87aebccfef0
SHA10d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA25697e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA5125ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f
-
MD5
41a5f4fd1ea7cac4aa94a87aebccfef0
SHA10d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA25697e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA5125ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f
-
MD5
3b1b318df4d314a35dce9e8fd89e5121
SHA155b0f8d56212a74bda0fc5f8cc0632ef52a4bc71
SHA2564df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b
SHA512f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4
-
MD5
3b1b318df4d314a35dce9e8fd89e5121
SHA155b0f8d56212a74bda0fc5f8cc0632ef52a4bc71
SHA2564df9e7fcd10900ae5def897377f54856b0ddad1798fa22614eba56096940885b
SHA512f04faca320d344378dd31bf05556fb3ac02873e46e2140d5858162e739f5c25bc9b32d619587c84c36b768b9193ea5292d63f62bb0b8458b35d65959b52df6b4
-
MD5
3bc84c0e8831842f2ae263789217245d
SHA1d60b174c7f8372036da1eb0a955200b1bb244387
SHA256757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
SHA512f3117a6bd79db1d67dce2c67d539c56c177caed9f0b5b019dfb0034f28cb2e79e248893171c2ad78cbca358c2f5813edb17f0126ab40cfe08f9a6357f233f2e4
-
MD5
3bc84c0e8831842f2ae263789217245d
SHA1d60b174c7f8372036da1eb0a955200b1bb244387
SHA256757e7c2569cc52c9e1639fbca06e957cb40f775d5cb1a8aafa670131b62b0824
SHA512f3117a6bd79db1d67dce2c67d539c56c177caed9f0b5b019dfb0034f28cb2e79e248893171c2ad78cbca358c2f5813edb17f0126ab40cfe08f9a6357f233f2e4
-
MD5
25d9f83dc738b4894cf159c6a9754e40
SHA1152a0e0a8319c8d6bfbe6ae71ae5dda5cba2caca
SHA2568216cf00254d2febdfa67014d7265e008a6f485724c68579c5921f91a0069135
SHA51241a995bd29eaaf8b9ebed313f33eaf6ba217e331341888feb274df22328aca34a15bc0dd761cbdadf8d0491ed80d18025b88d8e1db862be2a886d99005b11f22
-
MD5
25d9f83dc738b4894cf159c6a9754e40
SHA1152a0e0a8319c8d6bfbe6ae71ae5dda5cba2caca
SHA2568216cf00254d2febdfa67014d7265e008a6f485724c68579c5921f91a0069135
SHA51241a995bd29eaaf8b9ebed313f33eaf6ba217e331341888feb274df22328aca34a15bc0dd761cbdadf8d0491ed80d18025b88d8e1db862be2a886d99005b11f22
-
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9
SHA11a2668a26b01828eec1415aa614743abb0a4fb70
SHA2568ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599
SHA51271ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3
-
MD5
e72eb3a565d7b5b83c7ff6fad519c6c9
SHA11a2668a26b01828eec1415aa614743abb0a4fb70
SHA2568ff1e74643983f7ca9bca70f1bea562e805a86421defde1bd57fc0da3722f599
SHA51271ae4db9c307c068f31a4e6471d950d1112d89d5661a4960dffbf6a7343cc313f98cfc35c5a10d38aae68be4b0a3f6a702fd5c28d938ca00094b26d0bcf03da3
-
MD5
97384261b8bbf966df16e5ad509922db
SHA12fc42d37fee2c81d767e09fb298b70c748940f86
SHA2569c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c
SHA512b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21
-
MD5
ac6a091fe7502922d0bad06a6cf6f2d2
SHA17c8143096ce40874b361abc29e2b2b9c96bc6600
SHA256257dd9fed847f82d9710861bb32bcad4f334c55be5ae59536ca3baeed83884cf
SHA5127b4b98b234c48f65932aad62488d859297555ac3caf5cbc9d53389137b2678b249db2a71174b14f2cd53cd83999577660c6da40ab52a1613bb982acee54c3334
-
MD5
ac6a091fe7502922d0bad06a6cf6f2d2
SHA17c8143096ce40874b361abc29e2b2b9c96bc6600
SHA256257dd9fed847f82d9710861bb32bcad4f334c55be5ae59536ca3baeed83884cf
SHA5127b4b98b234c48f65932aad62488d859297555ac3caf5cbc9d53389137b2678b249db2a71174b14f2cd53cd83999577660c6da40ab52a1613bb982acee54c3334
-
MD5
98d2687aec923f98c37f7cda8de0eb19
SHA1f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7
SHA2568a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465
SHA51295c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590
-
MD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
MD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
MD5
c313ddb7df24003d25bf62c5a218b215
SHA120a3404b7e17b530885fa0be130e784f827986ee
SHA256e3bc81a59fc45dfdfcc57b0078437061cb8c3396e1d593fcf187e3cdf0373ed1
SHA512542e2746626a066f3e875ae2f0d15e2c4beb5887376bb0218090f0e8492a6fdb11fa02b035d7d4200562811df7d2187b8a993a0b7f65489535919bdf11eb4cff
-
MD5
d7a2fe11bef3ccc42a1a29a2afb62323
SHA1ca60570ddf0170099280aee3f8b250752c2c9f43
SHA256a8e79133fdda3413e96d4b2808b4484aa2a2b3df4d0d65919896eda84cef153c
SHA5129eaf0541e592869fd4d1d12b3180b35a276788e8a720b4a41b73f144347a214d4150bf673c1acd82314ec4c704f24544394ecc924a8c11abaa6f80d01942b9b2
-
MD5
fc191886af8128ecd1c1fdfa194d7969
SHA145084d0bd44e9019851853c7b5fbb10878f6eee9
SHA2567a28673e12c61c5f1d48f224db3f6549be50e7278ab4116c60f3e90fa095fdac
SHA5122a7754cf0b2b7445d549184bf969e39dc00ec132dc12344f67d398167a8018ebb7db7502459d872d3630342a001ee34965e7465e36025aa64d205c7cf69806eb
-
MD5
fc191886af8128ecd1c1fdfa194d7969
SHA145084d0bd44e9019851853c7b5fbb10878f6eee9
SHA2567a28673e12c61c5f1d48f224db3f6549be50e7278ab4116c60f3e90fa095fdac
SHA5122a7754cf0b2b7445d549184bf969e39dc00ec132dc12344f67d398167a8018ebb7db7502459d872d3630342a001ee34965e7465e36025aa64d205c7cf69806eb
-
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA2560ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA51249d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a
-
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683
SHA1ff26f4b8ba148ddd488dde4eadd2412d6c288580
SHA2560ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2
SHA51249d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a
-
MD5
45ca138d0bb665df6e4bef2add68c7bf
SHA112c1a48e3a02f319a3d3ca647d04442d55e09265
SHA2563960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37
SHA512cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f
-
MD5
4e8c7308803ce36c8c2c6759a504c908
SHA1a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA25690fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7
-
MD5
4e8c7308803ce36c8c2c6759a504c908
SHA1a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc
SHA25690fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c
SHA512780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7
-
MD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
MD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
MD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
MD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
MD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
MD5
fa8dd39e54418c81ef4c7f624012557c
SHA1c3cb938cc4086c36920a4cb3aea860aed3f7e9da
SHA2560b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7
SHA51266d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601
-
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi
MD598e537669f4ce0062f230a14bcfcaf35
SHA1a19344f6a5e59c71f51e86119f5fa52030a92810
SHA2566f515aac05311f411968ee6e48d287a1eb452e404ffeff75ee0530dcf3243735
SHA5121ebc254289610be65882a6ceb1beebbf2be83006117f0a6ccbddd19ab7dc807978232a13ad5fa39b6f06f694d4f7c75760b773d70b87c0badef1da89bb7af3ac
-
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
43d68e8389e7df33189d1c1a05a19ac8
SHA1caf9cc610985e5cfdbae0c057233a6194ecbfed4
SHA25685dc7518ad5aa46ef572f17050e3b004693784d1855cca9390da1143a64fceae
SHA51258a76b4cb8f53cee73a8fc2afbd69388a1f2ea30ea3c0007beaa361cb0cc3d4d18c1fa8ccf036a2d2cf8fa07b01451000a704a626d95bd050afe6ba808e6de1e
-
MD5
d7a2fe11bef3ccc42a1a29a2afb62323
SHA1ca60570ddf0170099280aee3f8b250752c2c9f43
SHA256a8e79133fdda3413e96d4b2808b4484aa2a2b3df4d0d65919896eda84cef153c
SHA5129eaf0541e592869fd4d1d12b3180b35a276788e8a720b4a41b73f144347a214d4150bf673c1acd82314ec4c704f24544394ecc924a8c11abaa6f80d01942b9b2
-
MD5
8f995688085bced38ba7795f60a5e1d3
SHA15b1ad67a149c05c50d6e388527af5c8a0af4343a
SHA256203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006
SHA512043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35
-
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc
SHA1383a55cc0ab890f41b71ca67e070ac7c903adeb6
SHA25639412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc
SHA512ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4
-
MD5
7468eca4e3b4dbea0711a81ae9e6e3f2
SHA14a0c34c342ee7c9df2a0d58d0b5e8bfe94d1251d
SHA25673af1e816ec70be2a3e087af6ed7abc783c50c06b9df224f101e13a792df9837
SHA5123f93a70c8cc05426e08a404c9d1922a46dd4122e7f42bc292f3b5064903a15e13069b58cb615918cc06deaf31bd5805a925cbd656aabc5d78068eb7224a63f56
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8
-
MD5
0981d5c068a9c33f4e8110f81ffbb92e
SHA1badb871adf6f24aba6923b9b21b211cea2aeca77
SHA256b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68
SHA51259cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8