Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2023 22:19
Static task
static1
Behavioral task
behavioral1
Sample
31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe
Resource
win10v2004-20230915-en
General
-
Target
31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe
-
Size
1.0MB
-
MD5
f87f3dd471e12b1d78046225908e2289
-
SHA1
d903b0bbdd441b1e62287a533f304ff5c4be37db
-
SHA256
31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8
-
SHA512
5311ff055993bfbe31df6893d312626f7aa013730e55c0997c16c9b739919a5c45b5e22842500ffc750be99835375506e20c56eb3462477b533723a39b7c98a0
-
SSDEEP
24576:syvIiV/zqScH1y2q3ou9XmAxwSkRAUu8Pz6AcdmlmRPYD0LrwsF5kglN:bvDVLqVH1Xw9XXkRwZ5d9gewsDkE
Malware Config
Extracted
redline
nanya
77.91.124.82:19071
-
auth_value
640aa5afe54f566d8795f0dc723f8b52
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\EBA3.tmp\svchost.exe family_ammyyadmin C:\Users\Admin\AppData\Local\Temp\EBA3.tmp\svchost.exe family_ammyyadmin -
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/4704-120-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys behavioral1/memory/4704-119-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys behavioral1/memory/4704-122-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys behavioral1/memory/4704-124-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys behavioral1/memory/4704-133-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys behavioral1/memory/4704-134-0x0000000002EA0000-0x00000000032A0000-memory.dmp family_rhadamanthys -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5040-35-0x0000000000400000-0x000000000040A000-memory.dmp healer -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe -
Phemedrone
An information and wallet stealer written in C#.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2376-48-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rh111.exedescription pid process target process PID 4704 created 3196 4704 rh111.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 60 bcdedit.exe 4724 bcdedit.exe 4364 bcdedit.exe 5208 bcdedit.exe -
Renames multiple (470) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 1468 wbadmin.exe 5056 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NSzC8pOj.exet4284382.exeexplonde.exeu8937903.exelegota.exeA3FF.exe9FD8.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation NSzC8pOj.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation t4284382.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation explonde.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation u8937903.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation A3FF.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 9FD8.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 2 IoCs
Processes:
NSzC8pOj.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini NSzC8pOj.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe -
Executes dropped EXE 35 IoCs
Processes:
z8248323.exez0475414.exez9219702.exez9794020.exeq6221924.exer3752745.exes1106700.exet4284382.exeexplonde.exeu8937903.exelegota.exew8618455.exerh111.exerh111.exeNSzC8pOj.exeK367)Qpxg.exeNSzC8pOj.exeK367)Qpxg.exeNSzC8pOj.exeNSzC8pOj.exelegota.exeexplonde.exe9892.exe9A29.exe9892.exe9E41.exe9FD8.exeA3FF.exeAFC8.exeYnigope.exeYnigope.exesvchost.exe9A29.exelegota.exeexplonde.exepid process 3852 z8248323.exe 4984 z0475414.exe 2212 z9219702.exe 4536 z9794020.exe 428 q6221924.exe 1928 r3752745.exe 3064 s1106700.exe 3692 t4284382.exe 2896 explonde.exe 4780 u8937903.exe 4496 legota.exe 924 w8618455.exe 4584 rh111.exe 4704 rh111.exe 3080 NSzC8pOj.exe 3372 K367)Qpxg.exe 3824 NSzC8pOj.exe 2224 K367)Qpxg.exe 1324 NSzC8pOj.exe 1516 NSzC8pOj.exe 4388 legota.exe 4116 explonde.exe 4324 9892.exe 4608 9A29.exe 3988 9892.exe 852 9E41.exe 1708 9FD8.exe 4452 A3FF.exe 3024 AFC8.exe 3988 Ynigope.exe 3696 Ynigope.exe 5344 svchost.exe 2756 9A29.exe 5232 legota.exe 5596 explonde.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 3172 rundll32.exe 1844 rundll32.exe 4956 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs
Processes:
certreq.exeexplorer.exeaspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exez8248323.exez0475414.exez9219702.exez9794020.exeNSzC8pOj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8248323.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z0475414.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z9219702.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z9794020.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSzC8pOj = "C:\\Users\\Admin\\AppData\\Local\\NSzC8pOj.exe" NSzC8pOj.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NSzC8pOj = "C:\\Users\\Admin\\AppData\\Local\\NSzC8pOj.exe" NSzC8pOj.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
NSzC8pOj.exedescription ioc process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\Downloads\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Music\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\Documents\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\Pictures\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini NSzC8pOj.exe File opened for modification C:\Program Files\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Links\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini NSzC8pOj.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini NSzC8pOj.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Videos\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\Videos\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Documents\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Public\Desktop\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini NSzC8pOj.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini NSzC8pOj.exe File opened for modification C:\Users\Admin\Searches\desktop.ini NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI NSzC8pOj.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini NSzC8pOj.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 106 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 12 IoCs
Processes:
q6221924.exer3752745.exes1106700.exerh111.exeNSzC8pOj.exeK367)Qpxg.exeNSzC8pOj.exe9892.exe9E41.exe9FD8.exeA3FF.exe9A29.exedescription pid process target process PID 428 set thread context of 5040 428 q6221924.exe AppLaunch.exe PID 1928 set thread context of 1568 1928 r3752745.exe AppLaunch.exe PID 3064 set thread context of 2376 3064 s1106700.exe AppLaunch.exe PID 4584 set thread context of 4704 4584 rh111.exe rh111.exe PID 3080 set thread context of 3824 3080 NSzC8pOj.exe NSzC8pOj.exe PID 3372 set thread context of 2224 3372 K367)Qpxg.exe K367)Qpxg.exe PID 1324 set thread context of 1516 1324 NSzC8pOj.exe NSzC8pOj.exe PID 4324 set thread context of 3988 4324 9892.exe 9892.exe PID 852 set thread context of 1784 852 9E41.exe aspnet_compiler.exe PID 1708 set thread context of 4324 1708 9FD8.exe aspnet_compiler.exe PID 4452 set thread context of 1920 4452 A3FF.exe explorer.exe PID 4608 set thread context of 2756 4608 9A29.exe 9A29.exe -
Drops file in Program Files directory 64 IoCs
Processes:
NSzC8pOj.exedescription ioc process File created C:\Program Files\7-Zip\Lang\is.txt.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-125.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreMedTile.scale-200.png NSzC8pOj.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\ui-strings.js.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\MSCOMCTL.OCX.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo NSzC8pOj.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\skin_en-US_female_TTS.lua NSzC8pOj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-125.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\7734_32x32x32.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-100.png NSzC8pOj.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\SpeedSelectionSlider.xbf NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated_contrast-white.png NSzC8pOj.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar NSzC8pOj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.QueryClient.winmd NSzC8pOj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js NSzC8pOj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-string-l1-1-0.dll NSzC8pOj.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\share_icons.png.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-400.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png NSzC8pOj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\mi.pak NSzC8pOj.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\SmallTile.scale-125.png NSzC8pOj.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.INF NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\GetSMDL2.ttf NSzC8pOj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning.png NSzC8pOj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-125.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256.png NSzC8pOj.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-200.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\MedTile.scale-100.png NSzC8pOj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll NSzC8pOj.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms.id[6E673161-3483].[[email protected]].8base NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png NSzC8pOj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_contrast-black.png NSzC8pOj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4500 428 WerFault.exe q6221924.exe 408 1928 WerFault.exe r3752745.exe 1656 1568 WerFault.exe AppLaunch.exe 4720 3064 WerFault.exe s1106700.exe 468 1784 WerFault.exe aspnet_compiler.exe 2872 3024 WerFault.exe AFC8.exe 1172 3024 WerFault.exe AFC8.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeK367)Qpxg.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K367)Qpxg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K367)Qpxg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI K367)Qpxg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3824 schtasks.exe 464 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4028 vssadmin.exe 4136 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXENSzC8pOj.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings NSzC8pOj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AppLaunch.exerh111.exerh111.execertreq.exeNSzC8pOj.exeK367)Qpxg.exeK367)Qpxg.exeNSzC8pOj.exeExplorer.EXENSzC8pOj.exepid process 5040 AppLaunch.exe 5040 AppLaunch.exe 4584 rh111.exe 4704 rh111.exe 4704 rh111.exe 4704 rh111.exe 4704 rh111.exe 4116 certreq.exe 4116 certreq.exe 4116 certreq.exe 4116 certreq.exe 3080 NSzC8pOj.exe 3372 K367)Qpxg.exe 2224 K367)Qpxg.exe 2224 K367)Qpxg.exe 1324 NSzC8pOj.exe 3196 Explorer.EXE 3196 Explorer.EXE 3824 NSzC8pOj.exe 3824 NSzC8pOj.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3824 NSzC8pOj.exe 3824 NSzC8pOj.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3824 NSzC8pOj.exe 3824 NSzC8pOj.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3824 NSzC8pOj.exe 3824 NSzC8pOj.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
Processes:
K367)Qpxg.exeExplorer.EXEexplorer.exepid process 2224 K367)Qpxg.exe 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 3196 Explorer.EXE 4108 explorer.exe 4108 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AppLaunch.exerh111.exeNSzC8pOj.exeK367)Qpxg.exeNSzC8pOj.exeNSzC8pOj.exevssvc.exeWMIC.exewbengine.exeExplorer.EXE9892.exe9E41.exe9FD8.exe9A29.exeA3FF.exeAFC8.exedescription pid process Token: SeDebugPrivilege 5040 AppLaunch.exe Token: SeDebugPrivilege 4584 rh111.exe Token: SeDebugPrivilege 3080 NSzC8pOj.exe Token: SeDebugPrivilege 3372 K367)Qpxg.exe Token: SeDebugPrivilege 1324 NSzC8pOj.exe Token: SeDebugPrivilege 3824 NSzC8pOj.exe Token: SeBackupPrivilege 4528 vssvc.exe Token: SeRestorePrivilege 4528 vssvc.exe Token: SeAuditPrivilege 4528 vssvc.exe Token: SeIncreaseQuotaPrivilege 4836 WMIC.exe Token: SeSecurityPrivilege 4836 WMIC.exe Token: SeTakeOwnershipPrivilege 4836 WMIC.exe Token: SeLoadDriverPrivilege 4836 WMIC.exe Token: SeSystemProfilePrivilege 4836 WMIC.exe Token: SeSystemtimePrivilege 4836 WMIC.exe Token: SeProfSingleProcessPrivilege 4836 WMIC.exe Token: SeIncBasePriorityPrivilege 4836 WMIC.exe Token: SeCreatePagefilePrivilege 4836 WMIC.exe Token: SeBackupPrivilege 4836 WMIC.exe Token: SeRestorePrivilege 4836 WMIC.exe Token: SeShutdownPrivilege 4836 WMIC.exe Token: SeDebugPrivilege 4836 WMIC.exe Token: SeSystemEnvironmentPrivilege 4836 WMIC.exe Token: SeRemoteShutdownPrivilege 4836 WMIC.exe Token: SeUndockPrivilege 4836 WMIC.exe Token: SeManageVolumePrivilege 4836 WMIC.exe Token: 33 4836 WMIC.exe Token: 34 4836 WMIC.exe Token: 35 4836 WMIC.exe Token: 36 4836 WMIC.exe Token: SeIncreaseQuotaPrivilege 4836 WMIC.exe Token: SeSecurityPrivilege 4836 WMIC.exe Token: SeTakeOwnershipPrivilege 4836 WMIC.exe Token: SeLoadDriverPrivilege 4836 WMIC.exe Token: SeSystemProfilePrivilege 4836 WMIC.exe Token: SeSystemtimePrivilege 4836 WMIC.exe Token: SeProfSingleProcessPrivilege 4836 WMIC.exe Token: SeIncBasePriorityPrivilege 4836 WMIC.exe Token: SeCreatePagefilePrivilege 4836 WMIC.exe Token: SeBackupPrivilege 4836 WMIC.exe Token: SeRestorePrivilege 4836 WMIC.exe Token: SeShutdownPrivilege 4836 WMIC.exe Token: SeDebugPrivilege 4836 WMIC.exe Token: SeSystemEnvironmentPrivilege 4836 WMIC.exe Token: SeRemoteShutdownPrivilege 4836 WMIC.exe Token: SeUndockPrivilege 4836 WMIC.exe Token: SeManageVolumePrivilege 4836 WMIC.exe Token: 33 4836 WMIC.exe Token: 34 4836 WMIC.exe Token: 35 4836 WMIC.exe Token: 36 4836 WMIC.exe Token: SeBackupPrivilege 3992 wbengine.exe Token: SeRestorePrivilege 3992 wbengine.exe Token: SeSecurityPrivilege 3992 wbengine.exe Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeShutdownPrivilege 3196 Explorer.EXE Token: SeCreatePagefilePrivilege 3196 Explorer.EXE Token: SeDebugPrivilege 4324 9892.exe Token: SeDebugPrivilege 852 9E41.exe Token: SeDebugPrivilege 1708 9FD8.exe Token: SeDebugPrivilege 4608 9A29.exe Token: SeDebugPrivilege 4452 A3FF.exe Token: SeDebugPrivilege 3024 AFC8.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
svchost.exepid process 5344 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exez8248323.exez0475414.exez9219702.exez9794020.exeq6221924.exer3752745.exes1106700.exet4284382.exedescription pid process target process PID 2860 wrote to memory of 3852 2860 31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe z8248323.exe PID 2860 wrote to memory of 3852 2860 31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe z8248323.exe PID 2860 wrote to memory of 3852 2860 31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe z8248323.exe PID 3852 wrote to memory of 4984 3852 z8248323.exe z0475414.exe PID 3852 wrote to memory of 4984 3852 z8248323.exe z0475414.exe PID 3852 wrote to memory of 4984 3852 z8248323.exe z0475414.exe PID 4984 wrote to memory of 2212 4984 z0475414.exe z9219702.exe PID 4984 wrote to memory of 2212 4984 z0475414.exe z9219702.exe PID 4984 wrote to memory of 2212 4984 z0475414.exe z9219702.exe PID 2212 wrote to memory of 4536 2212 z9219702.exe z9794020.exe PID 2212 wrote to memory of 4536 2212 z9219702.exe z9794020.exe PID 2212 wrote to memory of 4536 2212 z9219702.exe z9794020.exe PID 4536 wrote to memory of 428 4536 z9794020.exe q6221924.exe PID 4536 wrote to memory of 428 4536 z9794020.exe q6221924.exe PID 4536 wrote to memory of 428 4536 z9794020.exe q6221924.exe PID 428 wrote to memory of 4236 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 4236 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 4236 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 4084 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 4084 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 4084 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 428 wrote to memory of 5040 428 q6221924.exe AppLaunch.exe PID 4536 wrote to memory of 1928 4536 z9794020.exe r3752745.exe PID 4536 wrote to memory of 1928 4536 z9794020.exe r3752745.exe PID 4536 wrote to memory of 1928 4536 z9794020.exe r3752745.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 1928 wrote to memory of 1568 1928 r3752745.exe AppLaunch.exe PID 2212 wrote to memory of 3064 2212 z9219702.exe s1106700.exe PID 2212 wrote to memory of 3064 2212 z9219702.exe s1106700.exe PID 2212 wrote to memory of 3064 2212 z9219702.exe s1106700.exe PID 3064 wrote to memory of 4896 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 4896 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 4896 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 3064 wrote to memory of 2376 3064 s1106700.exe AppLaunch.exe PID 4984 wrote to memory of 3692 4984 z0475414.exe t4284382.exe PID 4984 wrote to memory of 3692 4984 z0475414.exe t4284382.exe PID 4984 wrote to memory of 3692 4984 z0475414.exe t4284382.exe PID 3692 wrote to memory of 2896 3692 t4284382.exe explonde.exe PID 3692 wrote to memory of 2896 3692 t4284382.exe explonde.exe PID 3692 wrote to memory of 2896 3692 t4284382.exe explonde.exe PID 3852 wrote to memory of 4780 3852 z8248323.exe u8937903.exe PID 3852 wrote to memory of 4780 3852 z8248323.exe u8937903.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe"C:\Users\Admin\AppData\Local\Temp\31e3172965034d615829287e98391877efd324bd0a9629915e730138f84419a8.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8248323.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8248323.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0475414.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0475414.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9219702.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9219702.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9794020.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9794020.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6221924.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6221924.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:4236
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:4084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 5928⤵
- Program crash
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3752745.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3752745.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 5409⤵
- Program crash
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 5808⤵
- Program crash
PID:408 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1106700.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1106700.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4896
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2376
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 5727⤵
- Program crash
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4284382.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4284382.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- Creates scheduled task(s)
PID:3824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2876
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵PID:2208
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵PID:4392
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1884
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:5064
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:468
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8937903.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8937903.exe4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F6⤵
- Creates scheduled task(s)
PID:464 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit6⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4676
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"7⤵PID:4512
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E7⤵PID:2904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4064
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"7⤵PID:4500
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E7⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe"C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exeC:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4704 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main6⤵
- Loads dropped DLL
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8618455.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8618455.exe3⤵
- Executes dropped EXE
PID:924 -
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\9892.exeC:\Users\Admin\AppData\Local\Temp\9892.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Users\Admin\AppData\Local\Temp\9892.exeC:\Users\Admin\AppData\Local\Temp\9892.exe3⤵
- Executes dropped EXE
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\9A29.exeC:\Users\Admin\AppData\Local\Temp\9A29.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\9A29.exe"C:\Users\Admin\AppData\Local\Temp\9A29.exe"3⤵
- Executes dropped EXE
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\9E41.exeC:\Users\Admin\AppData\Local\Temp\9E41.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 21604⤵
- Program crash
PID:468 -
C:\Users\Admin\AppData\Local\Temp\9FD8.exeC:\Users\Admin\AppData\Local\Temp\9FD8.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"3⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\A3FF.exeC:\Users\Admin\AppData\Local\Temp\A3FF.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"3⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe3⤵PID:1920
-
C:\Users\Admin\AppData\Local\Temp\AFC8.exeC:\Users\Admin\AppData\Local\Temp\AFC8.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 19443⤵
- Program crash
PID:2872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 19443⤵
- Program crash
PID:1172 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
PID:2860 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4500
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2104
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4956
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1920
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3712
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4700
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:892
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4468
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3548
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2856
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4908
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2888
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:4108 -
C:\Users\Admin\AppData\Local\Temp\EBA3.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\EBA3.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:5344 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\EBA3.tmp\aa_nts.dll",run4⤵
- Loads dropped DLL
PID:4956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 428 -ip 4281⤵PID:3816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1928 -ip 19281⤵PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1568 -ip 15681⤵PID:3008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3064 -ip 30641⤵PID:2252
-
C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe"C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exeC:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe"C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exeC:\Users\Admin\AppData\Local\Microsoft\NSzC8pOj.exe4⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3032
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4028 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:60 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4724 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1468 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3628
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:1080 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:4448 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:5784
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:5904
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6104
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:5708
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4072
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4136 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:5372
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4364 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:5208 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:5056
-
C:\Users\Admin\AppData\Local\Microsoft\K367)Qpxg.exeC:\Users\Admin\AppData\Local\Microsoft\K367)Qpxg.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2224
-
C:\Users\Admin\AppData\Local\Microsoft\K367)Qpxg.exe"C:\Users\Admin\AppData\Local\Microsoft\K367)Qpxg.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1552
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4488
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:4388
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:4116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1784 -ip 17841⤵PID:3464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3024 -ip 30241⤵PID:2524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3024 -ip 30241⤵PID:3152
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:5232
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:5596
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[6E673161-3483].[[email protected]].8base
Filesize3.2MB
MD5842adbe697ebae0c4283aa11a6680d75
SHA1f0f35e7d2fea0a8100241e6eaee497bddba8bd4a
SHA256dd70634207873ddab3fa0c9a8c8ea5457b6bbbb54f334e4bdfc5c93615729f50
SHA512a0c626d4c885b5c0b1ca6687c350caccc59b28db42558b7bec322af5ecdf741b460c73481194a4f0b87bf3202775cb8e9584a007791fa0169f7728b62a40371b
-
Filesize
1KB
MD584d1c0a4002c137a46d4c1ba97121096
SHA184b83d6904eb75875adeca9fd5e9f285242b294b
SHA256c40fba2b688c099f4abb0adab1e4c15acb1c5d2acb1975e0217e7d647e6fd04c
SHA5125f143d6e5d571f37fd381cc071271c3931f46b985a48a70e3d7fcfe00c6e32512861a99a66b7b297bcb356e67e020e8c994cbf2840a6af2bd5317be8aab7bdde
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
847B
MD5c0aed85f01118e3d67e3b2a514a7a36b
SHA1773e349d3ccadf77c7025d0450a337c538869f14
SHA2561c144975fd84bd986810e9067c6381939683de5e00223dad95bb7fd85e157d62
SHA51209027ddc074a09edc7da397af8369cf2bbf8c1c68f0ecac02151ea595a2e9499775abaa40e9b51fb96a9895a4901bd29daf7b83e93cc1f1f9ac64c39c999277d
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD51611ddc5ba7af4c5f4c247c178ccdbb3
SHA14be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA5126d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
1.7MB
MD5a6ab201ae407fbe4a5da5f20dc38412b
SHA1b3f8caf67f36730ad87031d206db91c861980615
SHA2569d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
62KB
MD55f0bbf0b4ce5fa0bca57f1230e660dff
SHA1529e438c21899eff993c0871ce07aff037d7f10d
SHA256a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131
-
Filesize
62KB
MD55f0bbf0b4ce5fa0bca57f1230e660dff
SHA1529e438c21899eff993c0871ce07aff037d7f10d
SHA256a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
61KB
MD54345b942eb187e2b867a6e9524d166e0
SHA11814c6a4205852069bbaaf9c8bd2809842d52548
SHA2560b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA51285f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
19KB
MD5c24cfaa5bc1547b2d5cbc80a1d02f039
SHA1b67e7b3b6217ba14060ecadc0ff8bbdfbc15abfa
SHA2567271f222404dc67edc86ae385eac8383aa65036658bb91a1e94d5a8b8bfe4522
SHA5123eb67f40251e4dbd5354b3e2a680224af21abec139438b1fbcce6b61713d28fbc911ed9af462d0783f79702cf04d31c00a607e9e507f02a1d6ad975b55440f9e
-
Filesize
19KB
MD5c24cfaa5bc1547b2d5cbc80a1d02f039
SHA1b67e7b3b6217ba14060ecadc0ff8bbdfbc15abfa
SHA2567271f222404dc67edc86ae385eac8383aa65036658bb91a1e94d5a8b8bfe4522
SHA5123eb67f40251e4dbd5354b3e2a680224af21abec139438b1fbcce6b61713d28fbc911ed9af462d0783f79702cf04d31c00a607e9e507f02a1d6ad975b55440f9e
-
Filesize
969KB
MD5563dae20b8fc076d308963b74e8a3098
SHA11873aa1e894e41bd66c3dfb422cd518c3b647981
SHA256ce11c55c6c6b7db8a4da4130ba02a57689cd6493d701fafdf3e73113fae54f97
SHA512db6de0844074ac7144ec40b95b96a813551ac0d1030ab8b258cf836168a57b49c098454078c14b6a689855286bdf561700d9a5501d250030d5b03f55a427c7e2
-
Filesize
969KB
MD5563dae20b8fc076d308963b74e8a3098
SHA11873aa1e894e41bd66c3dfb422cd518c3b647981
SHA256ce11c55c6c6b7db8a4da4130ba02a57689cd6493d701fafdf3e73113fae54f97
SHA512db6de0844074ac7144ec40b95b96a813551ac0d1030ab8b258cf836168a57b49c098454078c14b6a689855286bdf561700d9a5501d250030d5b03f55a427c7e2
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
787KB
MD5ffb4c3c0182566c4b47a801aead179e1
SHA16a667a9b27627ef1a695fc502685d304f764eaab
SHA256a05483d1cecad8e2547150d84e698ee60acc015cfb61cd7b6763cdd9df85b900
SHA51263f946fdfdc3c43b9a9b70a256504d5f98a36f835268c5922d708dc7aac1a90cf1c499f61cff7af0ddd26c44ca4765f82b73920ee7e562b6cf9e150457e46687
-
Filesize
787KB
MD5ffb4c3c0182566c4b47a801aead179e1
SHA16a667a9b27627ef1a695fc502685d304f764eaab
SHA256a05483d1cecad8e2547150d84e698ee60acc015cfb61cd7b6763cdd9df85b900
SHA51263f946fdfdc3c43b9a9b70a256504d5f98a36f835268c5922d708dc7aac1a90cf1c499f61cff7af0ddd26c44ca4765f82b73920ee7e562b6cf9e150457e46687
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
604KB
MD510024cffeac17ecd9869f91020910eee
SHA1cb7acb4aa8b63226cdd7a807bcb7cd307a34df72
SHA256209f1bda5251dfdb44754b65513a7ffaca72cdd1996b8ecb0f363834036d655c
SHA51274c9193daadf7a1046e7a4f43e867f87d356e1fa10bf42ba60f7a1751981ff5c203174e45cfa50518d9f4387376ee8bd8f0138d99aadb27bbf84ab137e954c16
-
Filesize
604KB
MD510024cffeac17ecd9869f91020910eee
SHA1cb7acb4aa8b63226cdd7a807bcb7cd307a34df72
SHA256209f1bda5251dfdb44754b65513a7ffaca72cdd1996b8ecb0f363834036d655c
SHA51274c9193daadf7a1046e7a4f43e867f87d356e1fa10bf42ba60f7a1751981ff5c203174e45cfa50518d9f4387376ee8bd8f0138d99aadb27bbf84ab137e954c16
-
Filesize
383KB
MD5afea6eee0b375b59da4e7569702126af
SHA186da455600ed7f2be11750d2f91f5ad905ce3af7
SHA2562bac8c95a45fbd4a30bb334fc8cbd265d5bf1fd564ac57aaa6e4a54cdc6a04fb
SHA512dfaf887a15722308511c7f6a0161fa884b4afc007530d756014de708853f48c8fcde3ec8b440c9d307b325c41d57c1e3ed16513eecfa31d615c9e966e4a78cfc
-
Filesize
383KB
MD5afea6eee0b375b59da4e7569702126af
SHA186da455600ed7f2be11750d2f91f5ad905ce3af7
SHA2562bac8c95a45fbd4a30bb334fc8cbd265d5bf1fd564ac57aaa6e4a54cdc6a04fb
SHA512dfaf887a15722308511c7f6a0161fa884b4afc007530d756014de708853f48c8fcde3ec8b440c9d307b325c41d57c1e3ed16513eecfa31d615c9e966e4a78cfc
-
Filesize
344KB
MD53685e6bb89cfae30540f526de5bb0936
SHA144fb39d87d5c8c9ad6ffcf06cb1a325caf72da76
SHA2569d3bb0b3dc5678a4bbdde3127f6a61b270a3c0b2b7c783a7a74dbaf3834c7a80
SHA512fe59151f49e401399dbe81d52e18cef3574356ca06fa231f459a04d661dd1f654f1c5441868725b56edc7c192d6a57b3cff655046755d50fec8cf16c80e513a3
-
Filesize
344KB
MD53685e6bb89cfae30540f526de5bb0936
SHA144fb39d87d5c8c9ad6ffcf06cb1a325caf72da76
SHA2569d3bb0b3dc5678a4bbdde3127f6a61b270a3c0b2b7c783a7a74dbaf3834c7a80
SHA512fe59151f49e401399dbe81d52e18cef3574356ca06fa231f459a04d661dd1f654f1c5441868725b56edc7c192d6a57b3cff655046755d50fec8cf16c80e513a3
-
Filesize
220KB
MD50c3ff9de2fd0c1061c4f5382d679fbf9
SHA1b34daae64a5477fae5d170e136194918d46e982c
SHA256a1863fb82b4e6ae741bd277c07e9f52eff07bff33f03b26608f57f9138da91a9
SHA5128ae0801dbee76e95a83b9c795980b85ff36cac713a0784df8a130b1a8c35bcf89a17c1811f39bc9f072e9413b5848b72bf10d17a0f1f155cfa2f100a8307fcc1
-
Filesize
220KB
MD50c3ff9de2fd0c1061c4f5382d679fbf9
SHA1b34daae64a5477fae5d170e136194918d46e982c
SHA256a1863fb82b4e6ae741bd277c07e9f52eff07bff33f03b26608f57f9138da91a9
SHA5128ae0801dbee76e95a83b9c795980b85ff36cac713a0784df8a130b1a8c35bcf89a17c1811f39bc9f072e9413b5848b72bf10d17a0f1f155cfa2f100a8307fcc1
-
Filesize
364KB
MD54fc14d3ebd4905bba5063ff223073077
SHA1a73e46e6b7fc4791e0f2316a12c0f1843e767e17
SHA256bda9f0a2a4d6496e5d78fd182a78090d5d5e04906f57d299c7594a63a24ba689
SHA512504d1ebfcbd1baf0ec4eff206d1391f9aab0901a9fe0744a8157b5426ff9d0d0084e7cb0c53bfea640bdd476a55a77af9eb59c0a4e3d7a0ec774a9d6650fb194
-
Filesize
364KB
MD54fc14d3ebd4905bba5063ff223073077
SHA1a73e46e6b7fc4791e0f2316a12c0f1843e767e17
SHA256bda9f0a2a4d6496e5d78fd182a78090d5d5e04906f57d299c7594a63a24ba689
SHA512504d1ebfcbd1baf0ec4eff206d1391f9aab0901a9fe0744a8157b5426ff9d0d0084e7cb0c53bfea640bdd476a55a77af9eb59c0a4e3d7a0ec774a9d6650fb194
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
84KB
MD5695069cac77763a345f1d32305a8c7ce
SHA1509b592b750bd4f33392b3090494ea96ea966b4c
SHA256514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA5127cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
273B
MD50c459e65bcc6d38574f0c0d63a87088a
SHA141e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\cookies.sqlite.id[6E673161-3483].[[email protected]].8base
Filesize96KB
MD5bac3662ee8452e0864b5069e9c3fd60f
SHA1976ab0f17b7bd03daa6afcc526a787658f0a82a0
SHA25692569e4252e6158fa1f27ed460f2ad20029d010cd24efb0db17857198a6ad5d1
SHA512c9ccb6e67a96309a66cf1515367c337e75bb173d08294f81553732f758bb9b5f6f9caf14cf2e09225c1f00771a7edb2aef50866a08603fd60202ea26ba2f2be0
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
Filesize
5KB
MD5d9cd0602214172de4d37e395b588f1d8
SHA174959f8fcd2d9db30d70aa54aae5d6f6d4de7fbf
SHA25604fd97a7e6a51ad8d42cbda19b6fc0ccfb11cad24cfb34c4076fb7746fd041b6
SHA5129aee7fe6a2c693da398d7c5981e5e99e49ba6682d11041884b5916bbaef85465f6343d35411fa1e62f6110d3bb26f85d3f61696295a7f6bbb533b360beb9fa25