Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2023 01:40
Static task
static1
Behavioral task
behavioral1
Sample
86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe
Resource
win10v2004-20230915-en
General
-
Target
86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe
-
Size
1.0MB
-
MD5
1af4ccc11f39a4846d09b90172cec1bb
-
SHA1
7a24ed192383f445503a43c435e635274f255380
-
SHA256
86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea
-
SHA512
d5839724e74da677b27da078a7ba3e87d076140f64bad22b0549d87faf138377b51cfe6a3b29d8fb0dcc13e2ebdb5049c3b51bb5efa07a8218ed53a29d3989f6
-
SSDEEP
24576:Sye5lCD0watD0Mg7MosgGWVNaPV7msHmNo:5mCowaJvLZWVNgV7Z
Malware Config
Extracted
redline
nanya
77.91.124.82:19071
-
auth_value
640aa5afe54f566d8795f0dc723f8b52
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Extracted
smokeloader
2022
http://servermlogs27.xyz/statweb255/
http://servmblog45.xyz/statweb255/
http://demblog575.xyz/statweb255/
http://admlogs85x.xyz/statweb255/
http://blogmstat389.xyz/statweb255/
http://blogmstat255.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
resource yara_rule behavioral1/files/0x00060000000232ac-6214.dat family_ammyyadmin behavioral1/files/0x00060000000232ac-6287.dat family_ammyyadmin -
Detect rhadamanthys stealer shellcode 5 IoCs
resource yara_rule behavioral1/memory/316-120-0x0000000002D10000-0x0000000003110000-memory.dmp family_rhadamanthys behavioral1/memory/316-122-0x0000000002D10000-0x0000000003110000-memory.dmp family_rhadamanthys behavioral1/memory/316-123-0x0000000002D10000-0x0000000003110000-memory.dmp family_rhadamanthys behavioral1/memory/316-124-0x0000000002D10000-0x0000000003110000-memory.dmp family_rhadamanthys behavioral1/memory/316-133-0x0000000002D10000-0x0000000003110000-memory.dmp family_rhadamanthys -
Detects Healer an antivirus disabler dropper 1 IoCs
resource yara_rule behavioral1/memory/732-35-0x0000000000400000-0x000000000040A000-memory.dmp healer -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1292-48-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 316 created 3224 316 rh111.exe 47 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 1952 bcdedit.exe 752 bcdedit.exe 4176 bcdedit.exe 1812 bcdedit.exe -
Renames multiple (470) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2432 wbadmin.exe 4372 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 4928 netsh.exe 2328 netsh.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation t6406316.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation explonde.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation u2495246.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation J15$2NjP[X.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini J15$2NjP[X.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe -
Executes dropped EXE 32 IoCs
pid Process 4140 z7398746.exe 3524 z9112056.exe 1600 z9742916.exe 4068 z4739665.exe 3756 q2318511.exe 4840 r8225120.exe 3032 s4798845.exe 1508 t6406316.exe 3416 explonde.exe 1064 u2495246.exe 4428 legota.exe 3676 w7929108.exe 1116 rh111.exe 316 rh111.exe 4968 legota.exe 1760 explonde.exe 4808 J15$2NjP[X.exe 3516 BQxD9_v%U0.exe 5032 J15$2NjP[X.exe 4888 BQxD9_v%U0.exe 2236 J15$2NjP[X.exe 3908 J15$2NjP[X.exe 684 AB3F.exe 3392 ACD6.exe 3988 AB3F.exe 3176 AB3F.exe 3536 AB3F.exe 3520 B757.exe 4840 legota.exe 4948 explonde.exe 4868 svchost.exe 3820 ACD6.exe -
Loads dropped DLL 3 IoCs
pid Process 3944 rundll32.exe 1428 rundll32.exe 4740 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z7398746.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z9112056.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z9742916.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z4739665.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\J15$2NjP[X = "C:\\Users\\Admin\\AppData\\Local\\J15$2NjP[X.exe" J15$2NjP[X.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\J15$2NjP[X = "C:\\Users\\Admin\\AppData\\Local\\J15$2NjP[X.exe" J15$2NjP[X.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Videos\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini J15$2NjP[X.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1926387074-3400613176-3566796709-1000\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Documents\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Libraries\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Music\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Videos\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Documents\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Music\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Pictures\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Public\Downloads\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini J15$2NjP[X.exe File opened for modification C:\Program Files\desktop.ini J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Links\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini J15$2NjP[X.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini J15$2NjP[X.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI J15$2NjP[X.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini J15$2NjP[X.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 svchost.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 3756 set thread context of 732 3756 q2318511.exe 91 PID 4840 set thread context of 4676 4840 r8225120.exe 101 PID 3032 set thread context of 1292 3032 s4798845.exe 107 PID 1116 set thread context of 316 1116 rh111.exe 137 PID 4808 set thread context of 5032 4808 J15$2NjP[X.exe 148 PID 3516 set thread context of 4888 3516 BQxD9_v%U0.exe 149 PID 2236 set thread context of 3908 2236 J15$2NjP[X.exe 152 PID 684 set thread context of 3536 684 AB3F.exe 179 PID 3392 set thread context of 3820 3392 ACD6.exe 191 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-time-l1-1-0.dll.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.ITS J15$2NjP[X.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui J15$2NjP[X.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml J15$2NjP[X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-150.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\ColorPalette.png J15$2NjP[X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close.svg.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailLargeTile.scale-400.png J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PowerShell.PackageManagement.resources.dll J15$2NjP[X.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_LRG.png J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml J15$2NjP[X.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_ja.jar J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll J15$2NjP[X.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\remove.png J15$2NjP[X.exe File created C:\Program Files (x86)\Microsoft\Temp\EU3498.tmp\msedgeupdateres_ta.dll.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar J15$2NjP[X.exe File created C:\Program Files\Java\jre1.8.0_66\lib\ext\jaccess.jar.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ul-oob.xrm-ms J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Data.Common.dll J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msador15.dll J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\SmallLogo.png J15$2NjP[X.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-80_altform-unplated.png J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js J15$2NjP[X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140_1.dll.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x_2x.png.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\196.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32.png J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsiProvider.resources.dll J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll J15$2NjP[X.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\DATES.XML.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File created C:\Program Files\7-Zip\Lang\sq.txt.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-96.png J15$2NjP[X.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-awt.xml.id[ECCFD133-3483].[[email protected]].8base J15$2NjP[X.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-100_contrast-black.png J15$2NjP[X.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mi.pak.DATA J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms J15$2NjP[X.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms J15$2NjP[X.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4944 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
pid pid_target Process procid_target 1112 3756 WerFault.exe 90 2656 4840 WerFault.exe 96 3744 4676 WerFault.exe 101 4472 3032 WerFault.exe 106 3808 3520 WerFault.exe 180 1532 3520 WerFault.exe 180 -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BQxD9_v%U0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BQxD9_v%U0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI BQxD9_v%U0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3840 schtasks.exe 2504 schtasks.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1592 vssadmin.exe 404 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings J15$2NjP[X.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 732 AppLaunch.exe 732 AppLaunch.exe 1116 rh111.exe 316 rh111.exe 316 rh111.exe 316 rh111.exe 316 rh111.exe 4756 certreq.exe 4756 certreq.exe 4756 certreq.exe 4756 certreq.exe 4888 BQxD9_v%U0.exe 4888 BQxD9_v%U0.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 5032 J15$2NjP[X.exe 5032 J15$2NjP[X.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 5032 J15$2NjP[X.exe 5032 J15$2NjP[X.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 33 IoCs
pid Process 4888 BQxD9_v%U0.exe 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 3224 Explorer.EXE 1036 explorer.exe 1036 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 732 AppLaunch.exe Token: SeDebugPrivilege 1116 rh111.exe Token: SeDebugPrivilege 4808 J15$2NjP[X.exe Token: SeDebugPrivilege 3516 BQxD9_v%U0.exe Token: SeDebugPrivilege 2236 J15$2NjP[X.exe Token: SeDebugPrivilege 5032 J15$2NjP[X.exe Token: SeBackupPrivilege 4116 vssvc.exe Token: SeRestorePrivilege 4116 vssvc.exe Token: SeAuditPrivilege 4116 vssvc.exe Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemProfilePrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeProfSingleProcessPrivilege 2140 WMIC.exe Token: SeIncBasePriorityPrivilege 2140 WMIC.exe Token: SeCreatePagefilePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeDebugPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeRemoteShutdownPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: 33 2140 WMIC.exe Token: 34 2140 WMIC.exe Token: 35 2140 WMIC.exe Token: 36 2140 WMIC.exe Token: SeIncreaseQuotaPrivilege 2140 WMIC.exe Token: SeSecurityPrivilege 2140 WMIC.exe Token: SeTakeOwnershipPrivilege 2140 WMIC.exe Token: SeLoadDriverPrivilege 2140 WMIC.exe Token: SeSystemProfilePrivilege 2140 WMIC.exe Token: SeSystemtimePrivilege 2140 WMIC.exe Token: SeProfSingleProcessPrivilege 2140 WMIC.exe Token: SeIncBasePriorityPrivilege 2140 WMIC.exe Token: SeCreatePagefilePrivilege 2140 WMIC.exe Token: SeBackupPrivilege 2140 WMIC.exe Token: SeRestorePrivilege 2140 WMIC.exe Token: SeShutdownPrivilege 2140 WMIC.exe Token: SeDebugPrivilege 2140 WMIC.exe Token: SeSystemEnvironmentPrivilege 2140 WMIC.exe Token: SeRemoteShutdownPrivilege 2140 WMIC.exe Token: SeUndockPrivilege 2140 WMIC.exe Token: SeManageVolumePrivilege 2140 WMIC.exe Token: 33 2140 WMIC.exe Token: 34 2140 WMIC.exe Token: 35 2140 WMIC.exe Token: 36 2140 WMIC.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeBackupPrivilege 1472 wbengine.exe Token: SeRestorePrivilege 1472 wbengine.exe Token: SeSecurityPrivilege 1472 wbengine.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeDebugPrivilege 684 AB3F.exe Token: SeDebugPrivilege 3392 ACD6.exe Token: SeDebugPrivilege 3520 B757.exe Token: SeShutdownPrivilege 3224 Explorer.EXE Token: SeCreatePagefilePrivilege 3224 Explorer.EXE Token: SeShutdownPrivilege 3224 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4868 svchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3224 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4468 wrote to memory of 4140 4468 86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe 86 PID 4468 wrote to memory of 4140 4468 86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe 86 PID 4468 wrote to memory of 4140 4468 86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe 86 PID 4140 wrote to memory of 3524 4140 z7398746.exe 87 PID 4140 wrote to memory of 3524 4140 z7398746.exe 87 PID 4140 wrote to memory of 3524 4140 z7398746.exe 87 PID 3524 wrote to memory of 1600 3524 z9112056.exe 88 PID 3524 wrote to memory of 1600 3524 z9112056.exe 88 PID 3524 wrote to memory of 1600 3524 z9112056.exe 88 PID 1600 wrote to memory of 4068 1600 z9742916.exe 89 PID 1600 wrote to memory of 4068 1600 z9742916.exe 89 PID 1600 wrote to memory of 4068 1600 z9742916.exe 89 PID 4068 wrote to memory of 3756 4068 z4739665.exe 90 PID 4068 wrote to memory of 3756 4068 z4739665.exe 90 PID 4068 wrote to memory of 3756 4068 z4739665.exe 90 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 3756 wrote to memory of 732 3756 q2318511.exe 91 PID 4068 wrote to memory of 4840 4068 z4739665.exe 96 PID 4068 wrote to memory of 4840 4068 z4739665.exe 96 PID 4068 wrote to memory of 4840 4068 z4739665.exe 96 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 4840 wrote to memory of 4676 4840 r8225120.exe 101 PID 1600 wrote to memory of 3032 1600 z9742916.exe 106 PID 1600 wrote to memory of 3032 1600 z9742916.exe 106 PID 1600 wrote to memory of 3032 1600 z9742916.exe 106 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3032 wrote to memory of 1292 3032 s4798845.exe 107 PID 3524 wrote to memory of 1508 3524 z9112056.exe 110 PID 3524 wrote to memory of 1508 3524 z9112056.exe 110 PID 3524 wrote to memory of 1508 3524 z9112056.exe 110 PID 1508 wrote to memory of 3416 1508 t6406316.exe 111 PID 1508 wrote to memory of 3416 1508 t6406316.exe 111 PID 1508 wrote to memory of 3416 1508 t6406316.exe 111 PID 4140 wrote to memory of 1064 4140 z7398746.exe 112 PID 4140 wrote to memory of 1064 4140 z7398746.exe 112 PID 4140 wrote to memory of 1064 4140 z7398746.exe 112 PID 3416 wrote to memory of 2504 3416 explonde.exe 113 PID 3416 wrote to memory of 2504 3416 explonde.exe 113 PID 3416 wrote to memory of 2504 3416 explonde.exe 113 PID 3416 wrote to memory of 2964 3416 explonde.exe 115 PID 3416 wrote to memory of 2964 3416 explonde.exe 115 PID 3416 wrote to memory of 2964 3416 explonde.exe 115 PID 2964 wrote to memory of 3352 2964 cmd.exe 117 PID 2964 wrote to memory of 3352 2964 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe"C:\Users\Admin\AppData\Local\Temp\86698bf50808fc5b543ff341820526b6660899c156f73829742f198ed7b018ea.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7398746.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7398746.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9112056.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9112056.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9742916.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9742916.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4739665.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4739665.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2318511.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2318511.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 5528⤵
- Program crash
PID:1112
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8225120.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8225120.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:4676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 5409⤵
- Program crash
PID:3744
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 5528⤵
- Program crash
PID:2656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4798845.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4798845.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 5527⤵
- Program crash
PID:4472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6406316.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t6406316.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- Creates scheduled task(s)
PID:2504
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3352
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵PID:1160
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵PID:4888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3304
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:4560
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:3944
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2495246.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2495246.exe4⤵
- Checks computer location settings
- Executes dropped EXE
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F6⤵
- Creates scheduled task(s)
PID:3840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit6⤵PID:2716
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1200
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"7⤵PID:4152
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E7⤵PID:2796
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1196
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"7⤵PID:620
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E7⤵PID:4844
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe"C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exeC:\Users\Admin\AppData\Local\Temp\1000058001\rh111.exe7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main6⤵
- Loads dropped DLL
PID:1428
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7929108.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7929108.exe3⤵
- Executes dropped EXE
PID:3676
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
C:\Users\Admin\AppData\Local\Temp\AB3F.exeC:\Users\Admin\AppData\Local\Temp\AB3F.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:684 -
C:\Users\Admin\AppData\Local\Temp\AB3F.exeC:\Users\Admin\AppData\Local\Temp\AB3F.exe3⤵
- Executes dropped EXE
PID:3176
-
-
C:\Users\Admin\AppData\Local\Temp\AB3F.exeC:\Users\Admin\AppData\Local\Temp\AB3F.exe3⤵
- Executes dropped EXE
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\AB3F.exeC:\Users\Admin\AppData\Local\Temp\AB3F.exe3⤵
- Executes dropped EXE
PID:3536
-
-
-
C:\Users\Admin\AppData\Local\Temp\ACD6.exeC:\Users\Admin\AppData\Local\Temp\ACD6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3392 -
C:\Users\Admin\AppData\Local\Temp\ACD6.exe"C:\Users\Admin\AppData\Local\Temp\ACD6.exe"3⤵
- Executes dropped EXE
PID:3820
-
-
-
C:\Users\Admin\AppData\Local\Temp\B757.exeC:\Users\Admin\AppData\Local\Temp\B757.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 19523⤵
- Program crash
PID:3808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 19523⤵
- Program crash
PID:1532
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2184
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4640
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:624
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:5004
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2876
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1228
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1600
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4080
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3244
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3872
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2456
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:64
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4960
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2976
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Suspicious behavior: MapViewOfSection
PID:1036 -
C:\Users\Admin\AppData\Local\Temp\F1DD.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\F1DD.tmp\svchost.exe -debug3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:4868 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\F1DD.tmp\aa_nts.dll",run4⤵
- Loads dropped DLL
PID:4740
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3756 -ip 37561⤵PID:2196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4840 -ip 48401⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4676 -ip 46761⤵PID:1532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3032 -ip 30321⤵PID:4160
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:4968
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1760
-
C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe"C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4808 -
C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exeC:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe"C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exeC:\Users\Admin\AppData\Local\Microsoft\J15$2NjP[X.exe4⤵
- Executes dropped EXE
PID:3908
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2692
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:404
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1952
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:752
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2432
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4868
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:4928
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:2328
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4872
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4816
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4764
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4168
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2296
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1592
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:2716
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4176
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1812
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4372
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\BQxD9_v%U0.exe"C:\Users\Admin\AppData\Local\Microsoft\BQxD9_v%U0.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3516 -
C:\Users\Admin\AppData\Local\Microsoft\BQxD9_v%U0.exeC:\Users\Admin\AppData\Local\Microsoft\BQxD9_v%U0.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4888
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4964
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3520 -ip 35201⤵PID:3668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3520 -ip 35201⤵PID:4392
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:4840
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:4948
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4944
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[ECCFD133-3483].[[email protected]].8base
Filesize3.2MB
MD5f5d8e81ea43c26331c945bde7cf6ff1d
SHA14b4a00c18a9fb577d14f528aecc7300a12fb4481
SHA256ec3110ee3dcc55a7dbda9ee9bb80763ef6cfc4bce780b5f2d2f2fac363d2f094
SHA512bb5c3ec5d19b23094be200380e6c0cb574a4c5389e4698f7ee91718aff6b5b1520c7751cb84a4d17208b2bbb4a48a3cb2f0082488c9b4b02ff85e236f0c7d80a
-
Filesize
250KB
MD5f303bcd11ab0d3f55980064dee528ab5
SHA1815aaa887d7991ec9dcda8f0e1adea12f76aa789
SHA25621fb9e94c2c0cd34955a9315539053cf736135254de72bfab497c88d01ee76f0
SHA512371cc13d036b31ac71cd19c308d4e608e3225380c57de9d8448fb5849ad1c465ea51de1c9bd39d8570a807f5222c2853e5c10a59583ffcc96cffe52765741cf6
-
Filesize
250KB
MD5f303bcd11ab0d3f55980064dee528ab5
SHA1815aaa887d7991ec9dcda8f0e1adea12f76aa789
SHA25621fb9e94c2c0cd34955a9315539053cf736135254de72bfab497c88d01ee76f0
SHA512371cc13d036b31ac71cd19c308d4e608e3225380c57de9d8448fb5849ad1c465ea51de1c9bd39d8570a807f5222c2853e5c10a59583ffcc96cffe52765741cf6
-
Filesize
250KB
MD5f303bcd11ab0d3f55980064dee528ab5
SHA1815aaa887d7991ec9dcda8f0e1adea12f76aa789
SHA25621fb9e94c2c0cd34955a9315539053cf736135254de72bfab497c88d01ee76f0
SHA512371cc13d036b31ac71cd19c308d4e608e3225380c57de9d8448fb5849ad1c465ea51de1c9bd39d8570a807f5222c2853e5c10a59583ffcc96cffe52765741cf6
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
927B
MD54a911455784f74e368a4c2c7876d76f4
SHA1a1700a0849ffb4f26671eb76da2489946b821c34
SHA256264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA5124617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[ECCFD133-3483].[[email protected]].8base
Filesize92KB
MD55aff98bc4de4de9844e0eec56ccfc80a
SHA13f29266231b2f5e137b1720ee3d072510d7077e1
SHA256e3dd83a73c9d0c8215c04dc63ea397fc007080a903a4a063547526405724d276
SHA5127f04eec645e70f0c0a8f24bad72e996ece8330445fd226cbad8b3cd31f187bf6943f1ddb06ad31c9e3ce47dabb2cf8af569b40aa12023fd31425dc269df7b143
-
Filesize
24B
MD5ae6fbded57f9f7d048b95468ddee47ca
SHA1c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
1.9MB
MD51b87684768db892932be3f0661c54251
SHA1e5acdb93f6eb75656c9a8242e21b01bf978dc7cf
SHA25665fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA5120fc3cc6ed99e45a3d1ca7cd2dd4d7bfc2f5f11ee7cf0e3d58bfbb4db26f16599cae45b96fc032cd6a050c1ea70bfd02291537088168dd149eee85b38d2527a82
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
262KB
MD55d2b3f808075ab6e605f4242d9c7a398
SHA12b0d4edf8ab7b84e7f8b5e05a18b39bf3ee5cf5b
SHA25632d1458fb5c0c08156568a658f30143786336a73dea1d76bef9becf4a55c0964
SHA512901a107dd865c14752cc61cfe9a08c5b50729a49d47b7010a03f44f5f3d51d9909c162bdd330771d9aa27f462f085fb2307543a8a28a62b46ed68ac7c037f797
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
468KB
MD520bb118569b859e64feaaf30227e04b8
SHA13fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
1.5MB
MD5400261992d812b24ecd3bfe79700443c
SHA1f4f0d341cc860f046b2713939c70da32944f7eda
SHA256222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
46B
MD53f05819f995b4dafa1b5d55ce8d1f411
SHA1404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA2567e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA51234abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
19KB
MD589347300b0703c788c02a2633f510abc
SHA16cfa75695d42b40e48a68afebce7cd915dd734bd
SHA256baabad7d572de149749729a3394990c45d1c3fd2f69868714b9246767812502f
SHA51227614fd85bd0ef5a665551aafe83aaff97280486fa6bc71f34f380ff4a5b185881f320ba6801a82742ee3e2752fbab7e72633d2b0a48830c4b21a25f56d3c0d3
-
Filesize
19KB
MD589347300b0703c788c02a2633f510abc
SHA16cfa75695d42b40e48a68afebce7cd915dd734bd
SHA256baabad7d572de149749729a3394990c45d1c3fd2f69868714b9246767812502f
SHA51227614fd85bd0ef5a665551aafe83aaff97280486fa6bc71f34f380ff4a5b185881f320ba6801a82742ee3e2752fbab7e72633d2b0a48830c4b21a25f56d3c0d3
-
Filesize
970KB
MD5a6fdb245ce54149edacdfdd309ae2d80
SHA1172d23a0d5615012f04d33e5aaadae759ae4bf96
SHA2564ca5cc2a2338006f6c91dcaf233487054ec56548acca157a8f28261b818ccba2
SHA512ae918653007a27e0389b8b57a5c8c69f59d94709194fdf17d80479858b6d0d1f56dd8e008e191f25df8bace01d01e96a6faf20f52e3f81ce39215e7db3020041
-
Filesize
970KB
MD5a6fdb245ce54149edacdfdd309ae2d80
SHA1172d23a0d5615012f04d33e5aaadae759ae4bf96
SHA2564ca5cc2a2338006f6c91dcaf233487054ec56548acca157a8f28261b818ccba2
SHA512ae918653007a27e0389b8b57a5c8c69f59d94709194fdf17d80479858b6d0d1f56dd8e008e191f25df8bace01d01e96a6faf20f52e3f81ce39215e7db3020041
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
787KB
MD5336b31e1f8e338af8f705f71d86c193d
SHA1ffe60c301833857dd609a90a7ee08263aee87055
SHA2569e6a82ed6b6c702b776b5a66fb935706a29b1927f625ed2f144465b34d69bd58
SHA512d7484275a8f0520dcaf642d7b1270e852e8a8f2a9d0e355ac3ff6c53e539ad037d1586ab24c83346f78856ed4139d192efa95279846af915a7bbc601b94a9b12
-
Filesize
787KB
MD5336b31e1f8e338af8f705f71d86c193d
SHA1ffe60c301833857dd609a90a7ee08263aee87055
SHA2569e6a82ed6b6c702b776b5a66fb935706a29b1927f625ed2f144465b34d69bd58
SHA512d7484275a8f0520dcaf642d7b1270e852e8a8f2a9d0e355ac3ff6c53e539ad037d1586ab24c83346f78856ed4139d192efa95279846af915a7bbc601b94a9b12
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
604KB
MD548dd7831a477798e09521d6d0e91a1f0
SHA115b2797097df029ce0834c32556d74eeb4fa3d2e
SHA256bfcf787efc0341753f20fe4aa0d565d353d5083a593a8c0caf494418ee3299ba
SHA512985b3254e766be54e6a8ee769cde95ca468724709e89720726c1072b2d0d49078ca4fc07414e7e85624b91532e3e89b77e4d64c44136c3b4b08dce85c4dec261
-
Filesize
604KB
MD548dd7831a477798e09521d6d0e91a1f0
SHA115b2797097df029ce0834c32556d74eeb4fa3d2e
SHA256bfcf787efc0341753f20fe4aa0d565d353d5083a593a8c0caf494418ee3299ba
SHA512985b3254e766be54e6a8ee769cde95ca468724709e89720726c1072b2d0d49078ca4fc07414e7e85624b91532e3e89b77e4d64c44136c3b4b08dce85c4dec261
-
Filesize
383KB
MD54faf1251e4c29df8ba8e6a83dc671af6
SHA1b1dd967703a6f2632334fbbbcdc2e7c62c812134
SHA2565f89fcc7c00dfb580922a24bf3d341dd076a4bb7eb46f8eca6735ab6bf0743e8
SHA5126e60fe4ac906fb1c084f40e587c0773fde09bdaaa993ecdf0b51afcf59dbe310d877addb6ff6f673fa97283a6514264352ec146f325794c19ec5cd3856e89d6c
-
Filesize
383KB
MD54faf1251e4c29df8ba8e6a83dc671af6
SHA1b1dd967703a6f2632334fbbbcdc2e7c62c812134
SHA2565f89fcc7c00dfb580922a24bf3d341dd076a4bb7eb46f8eca6735ab6bf0743e8
SHA5126e60fe4ac906fb1c084f40e587c0773fde09bdaaa993ecdf0b51afcf59dbe310d877addb6ff6f673fa97283a6514264352ec146f325794c19ec5cd3856e89d6c
-
Filesize
344KB
MD5c59e7879c006a2f6b49a8533a8f27f52
SHA11a3e1eeeb8840e83194fde6da10e021da5d3a773
SHA256e35d402d511f74d7aef6f976f1377f55a8613f7a8db92437c59d6d8789a4598d
SHA512cd7f14c7b16b7738cdc533d177c956cf9908d73a5d1e548d195799bbc7ef6aee709ca9dc03215c4f32602a21810d15ef08b77c7fc506f2a58d55a9fed464892b
-
Filesize
344KB
MD5c59e7879c006a2f6b49a8533a8f27f52
SHA11a3e1eeeb8840e83194fde6da10e021da5d3a773
SHA256e35d402d511f74d7aef6f976f1377f55a8613f7a8db92437c59d6d8789a4598d
SHA512cd7f14c7b16b7738cdc533d177c956cf9908d73a5d1e548d195799bbc7ef6aee709ca9dc03215c4f32602a21810d15ef08b77c7fc506f2a58d55a9fed464892b
-
Filesize
220KB
MD577d810700ca22b14baeff270dd9f9ad2
SHA1a4a8279c52929096157863569f29a83c8b973be0
SHA2564cf9e115c6fff2c05c245ee87a93ade7ceec46c11d28b6a75374d57151258a03
SHA512f8bb97b00ffbdf88e82e857476672d4bb8ec95992d2cd1a2e85fff2ee80e162242a65fe1c3b67dafb495eeb8dae3a5e10bbb18975dce1b9facc8444ed60680a1
-
Filesize
220KB
MD577d810700ca22b14baeff270dd9f9ad2
SHA1a4a8279c52929096157863569f29a83c8b973be0
SHA2564cf9e115c6fff2c05c245ee87a93ade7ceec46c11d28b6a75374d57151258a03
SHA512f8bb97b00ffbdf88e82e857476672d4bb8ec95992d2cd1a2e85fff2ee80e162242a65fe1c3b67dafb495eeb8dae3a5e10bbb18975dce1b9facc8444ed60680a1
-
Filesize
364KB
MD574c2416eb3d1a7996d196651118effbc
SHA1f819eaf97879d598c9c8c41a187ab941662cdb28
SHA2563513b93a078efec391f1a3bec8ada0bd8a9f3523a6c6dbc7493ccb6dad62ac12
SHA512782eac42431f2e32de0c475eab1f787ca66fe183260e989420c26eb483000b7cc1a06abe4db3971dde018d21386426ce24ac880edc2bf1eda465af3c879d0734
-
Filesize
364KB
MD574c2416eb3d1a7996d196651118effbc
SHA1f819eaf97879d598c9c8c41a187ab941662cdb28
SHA2563513b93a078efec391f1a3bec8ada0bd8a9f3523a6c6dbc7493ccb6dad62ac12
SHA512782eac42431f2e32de0c475eab1f787ca66fe183260e989420c26eb483000b7cc1a06abe4db3971dde018d21386426ce24ac880edc2bf1eda465af3c879d0734
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
273B
MD50c459e65bcc6d38574f0c0d63a87088a
SHA141e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k16kyoly.default-release\cookies.sqlite.id[ECCFD133-3483].[[email protected]].8base
Filesize96KB
MD5e7c31ccdb6aa8e89c11edf91ffa8e0da
SHA1bd2e5675c075eb50f0aa025dda29b2a3d800027d
SHA25680d7fb8a2da0531e24843ed5f8db6227c5a0c347f412de2a3b3e79ab0e73b286
SHA512fef6a38987add2cca2f51da407a886bbf44b1c90f5fd44a77bd5779ef131080b6e60a4f5ae1a6f416a163bc984484b8ce29dcf56aa9be8087e0dd0ec9e312098
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
Filesize
5KB
MD5fcd56d79650e966cf400a3e64ad0c116
SHA1bb6e65d1a7a90357d6fec39660f56c7e058e3680
SHA2563d14b6150d26e75e1171362afc70095639c4c65d50f5654afa49549bfe467aad
SHA512da57f207fa77cd4b4caa4153670004efec8eb8f8bb58ee4278754ce2e969e0100f6975e0a161785cbccd6547fff2e0a5538924632001668e4751222e57413a57