Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2023, 11:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
General
-
Target
file.exe
-
Size
876KB
-
MD5
017a82da7f811fc92a57a3b630c246e3
-
SHA1
0e411d8bdc009d3fd50f9983a0ca9c7d62fd8c72
-
SHA256
bde70ac579d1b9ce2d8bef8c8023debec0ca1a0e3cac07ea465e25b32aa0602a
-
SHA512
2d4932aa837920d66241cd422617dbbde3e2733d8874d5757687a44716321f3df12fc4620dea22a8556d12427e70239a4e210e1e3fd0870b831ada92d703a5a9
-
SSDEEP
12288:gMrfy90VY+asDkUK5UswGw6q8UJMT07e4sYuKgeAf2vFKgfheaz4ZxZWhMt5otF6:Pyb+ZDk9U3Mie4sQjf4ZxZWhntmB
Malware Config
Extracted
redline
jordan
77.91.124.55:19071
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
gigant
77.91.124.55:19071
Extracted
smokeloader
up3
Extracted
redline
@ytlogsbot
176.123.4.46:33783
-
auth_value
295b226f1b63bcd55148625381b27b19
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe 3760 schtasks.exe 4232 schtasks.exe 4984 schtasks.exe -
Detects Healer an antivirus disabler dropper 6 IoCs
resource yara_rule behavioral2/files/0x00070000000231e6-26.dat healer behavioral2/files/0x00070000000231e6-27.dat healer behavioral2/memory/2636-28-0x00000000005E0000-0x00000000005EA000-memory.dmp healer behavioral2/memory/5384-317-0x0000000000130000-0x000000000013A000-memory.dmp healer behavioral2/files/0x0007000000023258-316.dat healer behavioral2/files/0x0007000000023258-315.dat healer -
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/5596-555-0x0000000004B10000-0x00000000053FB000-memory.dmp family_glupteba behavioral2/memory/5596-579-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5596-645-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5596-864-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5360-919-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/5360-985-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/4428-1046-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba behavioral2/memory/4428-1086-0x0000000000400000-0x000000000298D000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 5E9A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 5E9A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 5E9A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 5E9A.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 5E9A.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1oe84jq1.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral2/memory/3616-48-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/files/0x0006000000023256-433.dat family_redline behavioral2/files/0x0006000000023256-434.dat family_redline behavioral2/memory/5424-435-0x00000000002A0000-0x00000000002DE000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2440 netsh.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation kos1.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation kos.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 60BE.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation 7B6B.exe -
Executes dropped EXE 37 IoCs
pid Process 1096 us4DK37.exe 4988 mR1ZW65.exe 1352 Xp2LI48.exe 2636 1oe84jq1.exe 1292 2AV3412.exe 3764 3JH23IV.exe 4948 4iO520AV.exe 4144 5rc9QT5.exe 4840 587B.exe 432 5967.exe 1272 VR5us0ol.exe 4996 Or4RX8cx.exe 756 oS1CF3Qn.exe 2672 Xy0vr1bG.exe 5180 1Ti66oF6.exe 5280 5D70.exe 5384 5E9A.exe 5536 60BE.exe 5136 explothe.exe 5424 2Rb326Jw.exe 5792 7B6B.exe 5672 ss41.exe 5432 net.exe 5596 31839b57a4f11171d6abc8bbc4451ee4.exe 5880 kos1.exe 5200 toolspub2.exe 5516 806D.exe 6104 set16.exe 4092 kos.exe 3196 is-L61JH.tmp 5464 previewer.exe 5304 previewer.exe 5496 explothe.exe 5360 31839b57a4f11171d6abc8bbc4451ee4.exe 4428 csrss.exe 3220 injector.exe 4648 explothe.exe -
Loads dropped DLL 4 IoCs
pid Process 3196 is-L61JH.tmp 3196 is-L61JH.tmp 3196 is-L61JH.tmp 5372 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1oe84jq1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 5E9A.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mR1ZW65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Xp2LI48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" VR5us0ol.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" us4DK37.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 587B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Or4RX8cx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" oS1CF3Qn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" Xy0vr1bG.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 1292 set thread context of 4980 1292 2AV3412.exe 98 PID 3764 set thread context of 3900 3764 3JH23IV.exe 105 PID 4948 set thread context of 3616 4948 4iO520AV.exe 110 PID 432 set thread context of 5328 432 5967.exe 204 PID 5180 set thread context of 5368 5180 1Ti66oF6.exe 159 PID 5280 set thread context of 5752 5280 5D70.exe 170 PID 5432 set thread context of 5200 5432 net.exe 194 PID 5516 set thread context of 5412 5516 806D.exe 200 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat is-L61JH.tmp File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe is-L61JH.tmp File created C:\Program Files (x86)\PA Previewer\unins000.dat is-L61JH.tmp File created C:\Program Files (x86)\PA Previewer\is-AOANR.tmp is-L61JH.tmp File created C:\Program Files (x86)\PA Previewer\is-MOCNE.tmp is-L61JH.tmp File created C:\Program Files (x86)\PA Previewer\is-IRUUL.tmp is-L61JH.tmp File created C:\Program Files (x86)\PA Previewer\is-5FBH1.tmp is-L61JH.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3760 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 3868 4980 WerFault.exe 98 2732 1292 WerFault.exe 96 3736 3764 WerFault.exe 103 1284 4948 WerFault.exe 108 5488 432 WerFault.exe 143 5568 5180 WerFault.exe 151 5616 5368 WerFault.exe 159 6120 5280 WerFault.exe 153 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4232 schtasks.exe 4984 schtasks.exe 3760 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 1oe84jq1.exe 2636 1oe84jq1.exe 3900 AppLaunch.exe 3900 AppLaunch.exe 5032 msedge.exe 5032 msedge.exe 3412 msedge.exe 3412 msedge.exe 1588 msedge.exe 1588 msedge.exe 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3900 AppLaunch.exe 5200 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2636 1oe84jq1.exe Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeDebugPrivilege 5384 5E9A.exe Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeDebugPrivilege 4092 kos.exe Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeDebugPrivilege 5464 previewer.exe Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe 1588 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3180 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 760 wrote to memory of 1096 760 file.exe 85 PID 760 wrote to memory of 1096 760 file.exe 85 PID 760 wrote to memory of 1096 760 file.exe 85 PID 1096 wrote to memory of 4988 1096 us4DK37.exe 86 PID 1096 wrote to memory of 4988 1096 us4DK37.exe 86 PID 1096 wrote to memory of 4988 1096 us4DK37.exe 86 PID 4988 wrote to memory of 1352 4988 mR1ZW65.exe 87 PID 4988 wrote to memory of 1352 4988 mR1ZW65.exe 87 PID 4988 wrote to memory of 1352 4988 mR1ZW65.exe 87 PID 1352 wrote to memory of 2636 1352 Xp2LI48.exe 88 PID 1352 wrote to memory of 2636 1352 Xp2LI48.exe 88 PID 1352 wrote to memory of 1292 1352 Xp2LI48.exe 96 PID 1352 wrote to memory of 1292 1352 Xp2LI48.exe 96 PID 1352 wrote to memory of 1292 1352 Xp2LI48.exe 96 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 1292 wrote to memory of 4980 1292 2AV3412.exe 98 PID 4988 wrote to memory of 3764 4988 mR1ZW65.exe 103 PID 4988 wrote to memory of 3764 4988 mR1ZW65.exe 103 PID 4988 wrote to memory of 3764 4988 mR1ZW65.exe 103 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 3764 wrote to memory of 3900 3764 3JH23IV.exe 105 PID 1096 wrote to memory of 4948 1096 us4DK37.exe 108 PID 1096 wrote to memory of 4948 1096 us4DK37.exe 108 PID 1096 wrote to memory of 4948 1096 us4DK37.exe 108 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 4948 wrote to memory of 3616 4948 4iO520AV.exe 110 PID 760 wrote to memory of 4144 760 file.exe 113 PID 760 wrote to memory of 4144 760 file.exe 113 PID 760 wrote to memory of 4144 760 file.exe 113 PID 4144 wrote to memory of 5096 4144 5rc9QT5.exe 115 PID 4144 wrote to memory of 5096 4144 5rc9QT5.exe 115 PID 5096 wrote to memory of 3780 5096 cmd.exe 116 PID 5096 wrote to memory of 3780 5096 cmd.exe 116 PID 3780 wrote to memory of 2168 3780 msedge.exe 118 PID 3780 wrote to memory of 2168 3780 msedge.exe 118 PID 5096 wrote to memory of 1588 5096 cmd.exe 119 PID 5096 wrote to memory of 1588 5096 cmd.exe 119 PID 1588 wrote to memory of 1944 1588 msedge.exe 120 PID 1588 wrote to memory of 1944 1588 msedge.exe 120 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 PID 1588 wrote to memory of 4384 1588 msedge.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\us4DK37.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mR1ZW65.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Xp2LI48.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1oe84jq1.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AV3412.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 5407⤵
- Program crash
PID:3868
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 6166⤵
- Program crash
PID:2732
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3JH23IV.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 6005⤵
- Program crash
PID:3736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iO520AV.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1524⤵
- Program crash
PID:1284
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B4.tmp\3B5.tmp\3B6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5rc9QT5.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff060c46f8,0x7fff060c4708,0x7fff060c47185⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,12146193027218610450,8218992721722641417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:25⤵PID:4964
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff060c46f8,0x7fff060c4708,0x7fff060c47185⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:25⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:85⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:15⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:15⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:15⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:85⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:85⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:15⤵PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:15⤵PID:3364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:15⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:15⤵PID:3588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:15⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:15⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:15⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,18392642830819798204,5559207121657909281,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:15⤵PID:6016
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1292 -ip 12921⤵PID:912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4980 -ip 49801⤵PID:2924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3764 -ip 37641⤵PID:3920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4948 -ip 49481⤵PID:2792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2328
-
C:\Users\Admin\AppData\Local\Temp\587B.exeC:\Users\Admin\AppData\Local\Temp\587B.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VR5us0ol.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Or4RX8cx.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\oS1CF3Qn.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:756 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xy0vr1bG.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ti66oF6.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 5448⤵
- Program crash
PID:5616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5180 -s 6007⤵
- Program crash
PID:5568
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Rb326Jw.exe6⤵
- Executes dropped EXE
PID:5424
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5967.exeC:\Users\Admin\AppData\Local\Temp\5967.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:432 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5328
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1562⤵
- Program crash
PID:5488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B2D.bat" "1⤵PID:1156
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵PID:5632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c47183⤵PID:5648
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:5796
-
-
C:\Users\Admin\AppData\Local\Temp\5D70.exeC:\Users\Admin\AppData\Local\Temp\5D70.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5280 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5716
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:5752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5280 -s 1482⤵
- Program crash
PID:6120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 432 -ip 4321⤵PID:5356
-
C:\Users\Admin\AppData\Local\Temp\5E9A.exeC:\Users\Admin\AppData\Local\Temp\5E9A.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5180 -ip 51801⤵PID:5476
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5368 -ip 53681⤵PID:5548
-
C:\Users\Admin\AppData\Local\Temp\60BE.exeC:\Users\Admin\AppData\Local\Temp\60BE.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5136 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit3⤵PID:5976
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:6044
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"4⤵PID:6040
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E4⤵PID:6088
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"4⤵PID:6108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:6092
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E4⤵PID:5216
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
PID:5372
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5280 -ip 52801⤵PID:5808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff060c46f8,0x7fff060c4708,0x7fff060c47181⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\7B6B.exeC:\Users\Admin\AppData\Local\Temp\7B6B.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5792 -
C:\Users\Admin\AppData\Local\Temp\ss41.exe"C:\Users\Admin\AppData\Local\Temp\ss41.exe"2⤵
- Executes dropped EXE
PID:5672
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:5432
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5200
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 83⤵PID:5328
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
PID:5596 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5536
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:5620
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:2440
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5008
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
PID:4428 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5312
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4232
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4612
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4172
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:3220
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:4984
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos1.exe"C:\Users\Admin\AppData\Local\Temp\kos1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5880 -
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"3⤵
- Executes dropped EXE
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp"C:\Users\Admin\AppData\Local\Temp\is-69KEV.tmp\is-L61JH.tmp" /SL4 $30262 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 522244⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3196 -
C:\Program Files (x86)\PA Previewer\previewer.exe"C:\Program Files (x86)\PA Previewer\previewer.exe" -i5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5464
-
-
C:\Program Files (x86)\PA Previewer\previewer.exe"C:\Program Files (x86)\PA Previewer\previewer.exe" -s5⤵
- Executes dropped EXE
PID:5304
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 85⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos.exe"C:\Users\Admin\AppData\Local\Temp\kos.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092
-
-
-
C:\Users\Admin\AppData\Local\Temp\806D.exeC:\Users\Admin\AppData\Local\Temp\806D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5516 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5412
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5496
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:4648
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:3760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5c126b33f65b7fc4ece66e42d6802b02e
SHA12a169a1c15e5d3dab708344661ec04d7339bcb58
SHA256ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8
SHA512eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
Filesize
152B
MD5db9dbef3f8b1f616429f605c1ebca2f0
SHA1ffba76f0836c024828d4ff1982cc4240c41a8f16
SHA2563e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1
SHA5124eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD59e62365be47b0aab77ce92df70c013d2
SHA1861b28f134b3f53263160e1b2aead003351c60c9
SHA256c857b3c4797f24c5227f2f354758195defae244c6fd587c8e02f0c7d4d665c80
SHA512516a42ab745bbc75864b5322975164f1ab3e8aaf23f84b86eb89dcd7636062eb41e9c47b1672fd5c508821793306fcbce8f6a2efb640ffcd4882f8d560dfc691
-
Filesize
1KB
MD5b8009c760ebb31158ffbef38b748374a
SHA102ef17bb074d4c7b3b8293b5fea2c0d83a2d2ed2
SHA25694e89b2ad393bc9d4bdd71805f1cb71b6257c7fe2b5aaa3348e08f43256e8556
SHA512356a79269950966a647027fbdbe6359a991aa62446ffcc4c3bcc96e45c428e81170907ce11257e0a4dce4ad857916f10a487d75a42814ac4b09b92835e71c7b8
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5fa7ccb55f138d3fa34ba083cb6672e5d
SHA15a3195f0f985ebd86a3b02c73b3c339deb16f15a
SHA256041f469256e1389154971241e32a001e8dd3dab8f902a44ab7d275309ef6b0d5
SHA5126347f8f61db02ec9165fdebea5d0863b52f1a8d2a54329f863272d2446d77a3be789c2c1d6cdb167b38412597c4964d2484d7723a162abf3d50710e899ff2f96
-
Filesize
7KB
MD5e49fabb5c0f843978a779b71cb1cf8eb
SHA1488d5bc88c8a26348a605c67fccb161551e78649
SHA256a9825b73be9a2731d879f2d477a09a2bb7990d511626d34f26d10e6524912ea9
SHA51279ab6e118e4d440eaee10e486abb411ddee45191718688930bf9933d9bbfbde3c1bda6eae1769257f1df70db9df145d2291c71c664593a149e18272850216f31
-
Filesize
5KB
MD5a59f07c2202deb39b2abde57c6df6085
SHA1312d5dbfe68ca12f947a2dd44d68362d3d6c9b90
SHA2564c5b5b1a6bf15d9a9eb0d1a07580532a6c7903e360a48321b466d4a49f1a6bab
SHA512e2103d17e13acd80f2012003c7af70ad569d8ba7ab0adc0e539d3d1605faa30d62cded16b1d8d45d08eb296aee6eb62a0237b4a8efee1ddba7df595319bc9ec1
-
Filesize
6KB
MD5f364ba46e73fefb452bc6694e331b0f6
SHA11a86391480685cfb5ca064234a57fc7ca9c6560b
SHA25634053fcb1101bb79e5dbc7e797614f68e43502f310576ad3c8a6c6631041f87a
SHA512f7deb47912ea90f5fbd1d4cd4e479e1d73b79ac9420b5f794adfde07a1dff8cf552604b5e3d5185e0cb48486b6f53b96c6ab20d757ed7077ddd0c58ee79b59b7
-
Filesize
24KB
MD56dcb90ba1ba8e06c1d4f27ec78f6911a
SHA171e7834c7952aeb9f1aa6eb88e1959a1ae4985d9
SHA25630d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416
SHA512dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9
-
Filesize
872B
MD559a9abbe7f411ab441df459f4f74ee7e
SHA1fd7ad280579e7cf4a815d03c92577e0c10888522
SHA256fe529b7de29f85f6ca10a510a2b17da919e408ff6ef296796b121b0c9dfe73e6
SHA5127e5bede28e54591ed2bf816ec22a8be135617b77dc7e00ea9b90bd69f2e88e19f461d0dfb437920246b5ab1d19997f4b344b706ee587dcc96928157dd1cbc2bf
-
Filesize
872B
MD5774b3c097adca838e5e005809c79b926
SHA13035a5591107b5737bb493a2bdce7a311b1721be
SHA256efca4e9ec5c178eef86e88f0dc06422ce00d9b1691e53dcd6207428889a0dbae
SHA51231580bae3fb895c7a5bd80c9d1b92cd3ac2e0ad8a242209b53b0b1ed866d40d4d56dac29f5bb46e674bcbbad50834578d99ee8186fafe45b01b9a2788605c629
-
Filesize
866B
MD5afcd732d6449e6fe0b7a609ff70fae92
SHA1a07fb77916ad41d01c5c42b919d6a11bc52aeded
SHA25646e539775ce92f4ea0498cc1b7ab19041cf1e9f1254b838e390b0b112e2879f9
SHA5126e6f90048d0077a13a1e2afdff09fde3dc00ee5e4c65e32386585d28bbb333600623dc88d7aaed3fa0525ea5c44d43b9750a4f1d82462ccbca651f2f108704d9
-
Filesize
872B
MD5870de09e623182cec5e186354874be2a
SHA182837ba800b0821d44fd04f07394c328c3b8530d
SHA256f62fda7162b085bbf2b49426a6ede252485a0f4b5a3701879c3f853540439ff6
SHA51286dd264f6c6b71ac2922d5b1f71c3a5c4a096e9839c7c5696ea52f60dfcab051dd9b5fb8c75241278dde5d6fe8b66dbf0f5e3d490ed4ca66ef4a659d65c72fa1
-
Filesize
864B
MD5f35d05b970a245b6ebdd23acdb77597c
SHA1f59b4e8dd6e306eceb06287e9b80458fc380ccc4
SHA25609d6fb3c16239dac69e16cb09122f7071f2bae9f22101d50db3384b297fd0733
SHA512dcae5b80ba09e50a36e5446612b6ff433996d93d884a179d8530bca06e817e5dd8d386a6b7aa2e16ad4ac64dbe9646fa7a1423a703ef688bc6b5147842b42e11
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a73a3cab6d00f4e33a0ea5b77d83c4b3
SHA1292c8a34e8d713389853eaa97b1c75915104bc7f
SHA256694b4024a42ab399c7448bdc85f0073ec7d5e752aac4dbe67c4354c7f2ba6843
SHA512265a790de2d67c8274b9389445536eb1faaa8afdd63dec7e71712e4cd46011b511691dcbb9e7aab52bbaa18e9b6c91e136ed0380cb785c696a9d4a797a4b6b40
-
Filesize
10KB
MD5b1b3d0462153da41cf01735390211f59
SHA1214860d911b5be901036fc7bb69913a5cbb86c70
SHA2569bce46337dcb1f2282fa259130df0b3bbcbe237551744af46a86ca52342b31ed
SHA512c6601be775b18a3b58eada9ba8eb4d27d161130b589697a966cc1462bfd2889a2c26c54743993a7efb4b95781d23dfe0ea6db7d24e453a2aae13f7f79d4dcaad
-
Filesize
2KB
MD5ba126223517b49e951ce2ac5f53c7a8f
SHA1bf8030b86ddab2e9ec75cda0caead93431d9f4ba
SHA256f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583
SHA5120b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce
-
Filesize
2KB
MD5ba126223517b49e951ce2ac5f53c7a8f
SHA1bf8030b86ddab2e9ec75cda0caead93431d9f4ba
SHA256f5b49a1f835071ba809e0234202cd7c3a1507a0ed476a1935ae04a78d8945583
SHA5120b6aef37012321d8fe0fb46617cdb1672bd4bd1aa68144dfdcd23598e54c835abdac7f04b8c2a6e10267c1c0db51c72a3ff294a9bbf41e923f133bd5c0e259ce
-
Filesize
4.2MB
MD57ea584dc49967de03bebdacec829b18d
SHA13d47f0e88c7473bedeed2f14d7a8db1318b93852
SHA25679232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53
SHA512ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0
-
Filesize
90B
MD55a115a88ca30a9f57fdbb545490c2043
SHA167e90f37fc4c1ada2745052c612818588a5595f4
SHA25652c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA51217c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe
-
Filesize
1.1MB
MD558f0d05dc318fb27da641c03fa4d664d
SHA1daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA2563f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA5129ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7
-
Filesize
1.1MB
MD558f0d05dc318fb27da641c03fa4d664d
SHA1daf53aa6f3f5706c1aec7c8149dd3973159d5264
SHA2563f604bed00436d2063eb5e64e7443afd4c94b96cf4a5391150a8b2b6199261f2
SHA5129ee0cf60aac3acfa2fe3bb466acdc549567f01fb817008ace925a0178a5d0f3409499ff7d6f6f3953298041cfb6ef758347d30c261b6190ee3d9e9deb17396c7
-
Filesize
285KB
MD50b5d6ef3c97a9e982265f7af225e5a9c
SHA11997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA51271784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8
-
Filesize
285KB
MD50b5d6ef3c97a9e982265f7af225e5a9c
SHA11997d3ee98bd097055ab61b4c3d63637b120bee3
SHA256fe7f655249dcdafa18d1ff185dfc1b26d1c71262ad2f76391f0e423e9bb240e4
SHA51271784323e6aab3550314fae076fc6b3a35e3c30e707f53f16a19d9b3d533c2da1215c33038b195fc72bec245b64897b5cc21c8392fcce5fcfdf354214dd6bea8
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
367KB
MD50e6557057a1d9769a7cc3b4f670fdde5
SHA18870b8d7db588dd57b416e474875b908517cbedb
SHA256aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA51213a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40
-
Filesize
367KB
MD50e6557057a1d9769a7cc3b4f670fdde5
SHA18870b8d7db588dd57b416e474875b908517cbedb
SHA256aa0a00deb37f55d80e804526da1e0675f595772782a4871e3fc2be021da6c10c
SHA51213a4af52593a02b8309d0c71d70932527c792f7145cee1d3102b5504352185a80257af7fc5921bda690e6eae068f22616ed59677e00906d76c3d9dee43f5ad40
-
Filesize
19KB
MD5cb71132b03f15b037d3e8a5e4d9e0285
SHA195963fba539b45eb6f6acbd062c48976733519a1
SHA2567f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a
-
Filesize
19KB
MD5cb71132b03f15b037d3e8a5e4d9e0285
SHA195963fba539b45eb6f6acbd062c48976733519a1
SHA2567f7d4ba0b7b46eff509b3aa2105d10d25f79e13ef3c1b1ec9c889cf2f0f1d373
SHA512d140809bcac5b6b47f710c18ca1df1a3dd9b9adb95dbc368049cdc91874070c9a9f67137941ab17147143ebfabb81de7f1e697e42b0a28d51776b2f9c48cba4a
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
90KB
MD54ebbad6aee33844e33bf065fc7f9c295
SHA1c07ae3a150d9dbbda4af182eb33c543b90f278b4
SHA2569ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff
SHA512b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121
-
Filesize
90KB
MD54ebbad6aee33844e33bf065fc7f9c295
SHA1c07ae3a150d9dbbda4af182eb33c543b90f278b4
SHA2569ee644db78bab1302f55478c204817f51fcee037157d2e047bf6d1f45ded36ff
SHA512b81c1ab752b98e2d632120016abe987d98a20a59d9775d9ff4293b08d44025be9f5f15e1b1a9011e5328318d6a7db338101624d6f6aa3f5b0cd8ab8a9864a121
-
Filesize
90KB
MD55235caae76d02f5952194d9ca29b3b03
SHA1c5d28760e6bbb69298904aa1f9bf9ba777b23697
SHA256c82317a752e64d5d09b5d4ca0a517c625141a50c535a2bd0b6148d18306632dc
SHA512601ed5535bedad1b3eece71ac74580e57c4f375c7eb714a4efe0ad53b3fc4fcce19a2e9d317fd71896ca80825f573abf594579ee9f0f3885c8944507d72797d7
-
Filesize
962KB
MD566c3517503dc4974307fec6ffa661d5a
SHA17c371312352f3335f55053e19ed5138b355a81b4
SHA256bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA51286d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf
-
Filesize
962KB
MD566c3517503dc4974307fec6ffa661d5a
SHA17c371312352f3335f55053e19ed5138b355a81b4
SHA256bfdea6f786a62a1efa9971fca4695516f625cc33748559957af2e95e518434a0
SHA51286d3c68c407943cd4ab798acc864777453acec3c7db483ec0189f86a09fccf70bf516bff911251db1ef26e39baf4650b784056f628963ea89c153ebfc47d12bf
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
737KB
MD50f1e6bd57eb05a9fd74ff70b15d82ad2
SHA1a2e2ce16c2b0e838c7d304359c08b631c810e321
SHA256d4d41f660bacfd5b9aa8e27245cc404660be60b87206e47d9bc31155fb28127f
SHA51268c1f9d1ba3568171e8ec6d0a641ad24622da0c341d98e9aff59ea3e12dbb93def460ab7001bc2738dadda0c8d58b0771d78cf9d08ca3a59d93b3349b3ad79b5
-
Filesize
367KB
MD5f076f5cd08dd7d24d0e82a03ac936d64
SHA10726d218b7507e7cc120168fe815526f7762f562
SHA25667db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874
SHA5123b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1
-
Filesize
367KB
MD5f076f5cd08dd7d24d0e82a03ac936d64
SHA10726d218b7507e7cc120168fe815526f7762f562
SHA25667db4064ea0a14f2e40504e7cf70f795bc784a3ba5461f6ffe6857e242e28874
SHA5123b47ef5e127747e48975f34b11867e35d351db9d2a030981fd03c086eb4ea189f6b402b1d4f53cb4740e3d796b45d0a1a22d078023e131985a4a128a8eb726d1
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
490KB
MD5eaf5703824f4cd6826d0b72d5d4858be
SHA1ce3b239c05f9c18c1e988e71f38114fcf4d1445e
SHA2561eb4091def0be71ab3151934cc38ab164daee0e32f915dbc011b99f59637c312
SHA512b44b30c5e1ab3135a4a2e25c542010206d600c6be9fd816e40e8988807e144aea3e09693e4c0613aa45ab1b5764474b68a0da39dd89bf9af3bcb5c09d30d2105
-
Filesize
175KB
MD5795944457f25ee822611f7e0e516ac1e
SHA17363da5dd6b7175efa8d815e4fec55ff1670717a
SHA25630a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7
SHA51295c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f
-
Filesize
175KB
MD5795944457f25ee822611f7e0e516ac1e
SHA17363da5dd6b7175efa8d815e4fec55ff1670717a
SHA25630a8c218e4928a256ea674b209e144faf929fd550c39ea488399ecc6b7c8e2c7
SHA51295c77df271e0ea0f356023c1e019c3ba3d2243deeed1f630d2b7ef8c37954a7a59558b018f4dcf8c4a80fc2e693c90485a780922a09f88d45005ba0cb09d7e3f
-
Filesize
779KB
MD549aafacee476804694b089564753232a
SHA1e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA51230be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c
-
Filesize
779KB
MD549aafacee476804694b089564753232a
SHA1e5f3f789c72b9f57f646dfbdcd8da420ffbd6460
SHA256802b6e16f12cfa5b130717d3500c22a7ee02bbb783b20935ffba17145c3c5787
SHA51230be2c3e14b54b0fb9b30b2517db720d185d80cf6f5d49a179c5eed44c31c7cfd056c0e792715b7fa558dc8c57ef3ae2a5c4389cc2f62d00bc4507a390d4575c
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
293KB
MD5270fed371af6acb335e5177f1d654d85
SHA1c3fc74b07b2a5596edc0f347b1a11bd77ec5e613
SHA256f2c4e0a40ca39423375f801ac60643cbf910d15278891fa904cff5d26a55a958
SHA51228a6938c4c2015d1eca20c187342cbcbc404e97c7a19532db6c5af52537dddeaa2587f5893cae226f11e8b2afd83a5f6203b55c3c6737663266a9e494d98fc53
-
Filesize
12KB
MD58d04e032bc6ad6b3ba2b7998e65e6f13
SHA166c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA25690ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3
-
Filesize
12KB
MD58d04e032bc6ad6b3ba2b7998e65e6f13
SHA166c8a49b5597f8fdab0bbe708c0335f85ef19986
SHA25690ff834f35b4a789d0d25c6252880635bf326d594e1156e785231b72ee59ebbf
SHA512efa2838bca833114a7417ea21e42644866d7b1c6352447735211dbc102f1d86bab0a59f2a27233eeae2fb6c43de01613437439132e188370de5d85937d9671c3
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
285KB
MD5890f04e0a2f7f9b29f432ae5d7829143
SHA1ce9553b4addcefb38e23059d6a42f384cce8f8e4
SHA256f21589011e457cbe216d110de778461b4737cd44a68a242cbf45a3233bd2d2b8
SHA5120479256135b6dee7d58239f03f3a09ff4e9e0d1e8991ef1ad094b0069c39f5a9e821c348a4dfa9e6ee0332434a767a1c3c002368018da4adf93d0b2691296c4b
-
Filesize
532KB
MD59014a0234d2c58ee7cf349c19e148c3b
SHA153b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA2565956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA51242c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06
-
Filesize
532KB
MD59014a0234d2c58ee7cf349c19e148c3b
SHA153b90f7cdbb745bbe5616cbbfd609323df8f822a
SHA2565956c5a0dac5224aae9b8309e85290aa11b081d874f69d539817ba6d01ea613c
SHA51242c4e86e34bf75bc00d6b7d8fa090e6ee1435e0b8a3c895810aa683e0ad6a6459f6b16182ba73b2e62270c2a158d9565e5143b0a308122d0042aebeb2bb01c06
-
Filesize
366KB
MD5ad04538ac68bdbcdd4af15df754950df
SHA101a914d0ff62513dd29e5471a06262425b3587d0
SHA256a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef
-
Filesize
366KB
MD5ad04538ac68bdbcdd4af15df754950df
SHA101a914d0ff62513dd29e5471a06262425b3587d0
SHA256a148f9b369eb12dcc206683c98559e264ce830b4402c2e2aac6559eec6f3f621
SHA512da9a246975b6bd40ee83cdf91f96f7d44b84becfe925fcd7c9976a8b6c950e1d40b5adf448460b64ab8a6351e4370c47f338bb0f4197a7abde976dc9da7b9eef
-
Filesize
285KB
MD594fe8c5b20737216593756185af3492c
SHA18eead059a52929964e302ea5b368b979839c2cac
SHA256de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA5124105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340
-
Filesize
285KB
MD594fe8c5b20737216593756185af3492c
SHA18eead059a52929964e302ea5b368b979839c2cac
SHA256de73644bad0e5ac1b38ac89d00ec878bd467884f5ba2c13a5d7ff900a2bf0b9a
SHA5124105e2ddfb853054057fa6eee53e74df7f335bad223a990487e99621ceb64959183fd3dc04fb03a820df684eda2056a941f9f6549fd18d1be360c52f1dc9e340
-
Filesize
222KB
MD5e748f885cdee27913e4462d9db102166
SHA1b242938a5bdec37c2f831054992c48246e0bcb3c
SHA2569403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2
SHA512d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363
-
Filesize
222KB
MD5e748f885cdee27913e4462d9db102166
SHA1b242938a5bdec37c2f831054992c48246e0bcb3c
SHA2569403b9206c3f092ac6c85ad1f7e19006c1bb823609bd3f9a9926be3b84f638c2
SHA512d4e1fc798ca5387ef914d314a77fbe8025047e7c666cd61c055884b5629d50a9dab7e02363b18ad7aa0f4b3b4304f95c6a01413cc9de280cf2efee82adfd6363
-
Filesize
116B
MD5ec6aae2bb7d8781226ea61adca8f0586
SHA1d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
8KB
MD5076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA17b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA51275e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b
-
Filesize
1.4MB
MD585b698363e74ba3c08fc16297ddc284e
SHA1171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA25678efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA5127e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796
-
Filesize
1.4MB
MD522d5269955f256a444bd902847b04a3b
SHA141a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c
-
Filesize
416KB
MD583330cf6e88ad32365183f31b1fd3bda
SHA11c5b47be2b8713746de64b39390636a81626d264
SHA2567ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e
SHA512e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908
-
Filesize
338KB
MD5528b5dc5ede359f683b73a684b9c19f6
SHA18bff4feae6dbdaafac1f9f373f15850d08e0a206
SHA2563a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9
SHA51287cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9