Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2023, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
427KB
-
MD5
6c1581c681ae8cd6f6b09f159aed7219
-
SHA1
2918809f6da16e5111a24ff91dc9bb358faaac8a
-
SHA256
da66fedd7831c720e47597fda2295ebcb868479b9c21bc86646c523b99e3233c
-
SHA512
984dd12a724222176748c70bd052a0595726f720cf8dd6bd381e8415c4579af4254166417b86b2ed97890c9625060006433e1337fe973ae793407522632d018b
-
SSDEEP
6144:KIy+bnr+Np0yN90QEMmIOqxxJEJYz1XeuqLVMpbgrcWFNb1vFRQAy6WQ:IMrFy90ZINXOg0VLVMFWc8NbnRXlWQ
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
magia
77.91.124.55:19071
Extracted
redline
lutyr
77.91.124.55:19071
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
pixelscloud
85.209.176.171:80
Extracted
redline
6012068394_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3448 schtasks.exe 4572 schtasks.exe 1460 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral2/memory/3104-19-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3104-20-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3104-21-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/3104-23-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral2/files/0x000700000002321f-89.dat healer behavioral2/files/0x000700000002321f-91.dat healer behavioral2/memory/4968-93-0x0000000000C60000-0x0000000000C6A000-memory.dmp healer -
Glupteba payload 6 IoCs
resource yara_rule behavioral2/memory/5304-372-0x0000000004780000-0x000000000506B000-memory.dmp family_glupteba behavioral2/memory/5304-375-0x0000000000400000-0x000000000266D000-memory.dmp family_glupteba behavioral2/memory/5304-411-0x0000000000400000-0x000000000266D000-memory.dmp family_glupteba behavioral2/memory/5304-440-0x0000000004780000-0x000000000506B000-memory.dmp family_glupteba behavioral2/memory/5304-448-0x0000000000400000-0x000000000266D000-memory.dmp family_glupteba behavioral2/memory/5304-527-0x0000000000400000-0x000000000266D000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C141.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C141.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C141.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 6 IoCs
resource yara_rule behavioral2/memory/2552-109-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/files/0x0006000000023219-123.dat family_redline behavioral2/files/0x0006000000023219-122.dat family_redline behavioral2/memory/1424-126-0x0000000000090000-0x00000000000CE000-memory.dmp family_redline behavioral2/memory/6000-414-0x00000000020A0000-0x00000000020FA000-memory.dmp family_redline behavioral2/memory/1900-426-0x0000000000240000-0x000000000025E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/1900-426-0x0000000000240000-0x000000000025E000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 5436 created 3276 5436 latestX.exe 42 PID 5436 created 3276 5436 latestX.exe 42 PID 5436 created 3276 5436 latestX.exe 42 PID 5436 created 3276 5436 latestX.exe 42 PID 5436 created 3276 5436 latestX.exe 42 PID 5612 created 3276 5612 updater.exe 42 PID 5612 created 3276 5612 updater.exe 42 PID 5612 created 3276 5612 updater.exe 42 PID 5612 created 3276 5612 updater.exe 42 PID 5612 created 3276 5612 updater.exe 42 PID 5612 created 3276 5612 updater.exe 42 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2536 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation F9A8.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation BE70.bat Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation C27A.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation explothe.exe -
Executes dropped EXE 35 IoCs
pid Process 2536 v7002600.exe 4504 a4248824.exe 1172 b0070557.exe 3412 c3174991.exe 4532 BC3B.exe 3024 OV6MR7Yw.exe 412 BDB3.exe 1456 bf6Dw9Ui.exe 408 fZ8WR0am.exe 4180 BE70.bat 4420 bt4xT1rz.exe 4556 1DQ73CJ8.exe 4112 C055.exe 4968 C141.exe 4964 C27A.exe 4700 explothe.exe 1424 2BY150Kr.exe 2820 F9A8.exe 5248 toolspub2.exe 5304 31839b57a4f11171d6abc8bbc4451ee4.exe 5368 source1.exe 5436 latestX.exe 5576 toolspub2.exe 5488 explothe.exe 6000 25F9.exe 6076 28B9.exe 1900 2BD7.exe 5928 31839b57a4f11171d6abc8bbc4451ee4.exe 5612 updater.exe 5744 csrss.exe 1620 injector.exe 5816 windefender.exe 6028 windefender.exe 1428 explothe.exe 5416 f801950a962ddba14caaa44bf084b55c.exe -
Loads dropped DLL 3 IoCs
pid Process 6000 25F9.exe 6000 25F9.exe 3696 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C141.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" bt4xT1rz.exe Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" BC3B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" bf6Dw9Ui.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" fZ8WR0am.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7002600.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" OV6MR7Yw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 4504 set thread context of 4244 4504 a4248824.exe 92 PID 1172 set thread context of 3104 1172 b0070557.exe 100 PID 412 set thread context of 1264 412 BDB3.exe 124 PID 4556 set thread context of 4480 4556 1DQ73CJ8.exe 127 PID 4112 set thread context of 2552 4112 C055.exe 136 PID 5248 set thread context of 5576 5248 toolspub2.exe 179 PID 5368 set thread context of 5136 5368 source1.exe 190 PID 5612 set thread context of 5268 5612 updater.exe 262 PID 5612 set thread context of 2152 5612 updater.exe 263 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5508 sc.exe 6060 sc.exe 5856 sc.exe 5884 sc.exe 5964 sc.exe 6012 sc.exe 4488 sc.exe 392 sc.exe 5756 sc.exe 3208 sc.exe 5892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 8 IoCs
pid pid_target Process procid_target 4828 4504 WerFault.exe 89 4268 1172 WerFault.exe 98 4984 3104 WerFault.exe 100 1764 412 WerFault.exe 116 2184 4556 WerFault.exe 118 4392 4480 WerFault.exe 127 2620 4112 WerFault.exe 122 4576 6000 WerFault.exe 182 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4572 schtasks.exe 1460 schtasks.exe 3448 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4244 AppLaunch.exe 4244 AppLaunch.exe 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE 3276 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3276 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4244 AppLaunch.exe 5576 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4968 C141.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeDebugPrivilege 5368 source1.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeDebugPrivilege 5812 powershell.exe Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE Token: SeCreatePagefilePrivilege 3276 Explorer.EXE Token: SeShutdownPrivilege 3276 Explorer.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe 4672 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3276 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4492 wrote to memory of 2536 4492 file.exe 88 PID 4492 wrote to memory of 2536 4492 file.exe 88 PID 4492 wrote to memory of 2536 4492 file.exe 88 PID 2536 wrote to memory of 4504 2536 v7002600.exe 89 PID 2536 wrote to memory of 4504 2536 v7002600.exe 89 PID 2536 wrote to memory of 4504 2536 v7002600.exe 89 PID 4504 wrote to memory of 4104 4504 a4248824.exe 91 PID 4504 wrote to memory of 4104 4504 a4248824.exe 91 PID 4504 wrote to memory of 4104 4504 a4248824.exe 91 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 4504 wrote to memory of 4244 4504 a4248824.exe 92 PID 2536 wrote to memory of 1172 2536 v7002600.exe 98 PID 2536 wrote to memory of 1172 2536 v7002600.exe 98 PID 2536 wrote to memory of 1172 2536 v7002600.exe 98 PID 1172 wrote to memory of 2812 1172 b0070557.exe 99 PID 1172 wrote to memory of 2812 1172 b0070557.exe 99 PID 1172 wrote to memory of 2812 1172 b0070557.exe 99 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 1172 wrote to memory of 3104 1172 b0070557.exe 100 PID 4492 wrote to memory of 3412 4492 file.exe 105 PID 4492 wrote to memory of 3412 4492 file.exe 105 PID 4492 wrote to memory of 3412 4492 file.exe 105 PID 3276 wrote to memory of 4532 3276 Explorer.EXE 114 PID 3276 wrote to memory of 4532 3276 Explorer.EXE 114 PID 3276 wrote to memory of 4532 3276 Explorer.EXE 114 PID 4532 wrote to memory of 3024 4532 BC3B.exe 115 PID 4532 wrote to memory of 3024 4532 BC3B.exe 115 PID 4532 wrote to memory of 3024 4532 BC3B.exe 115 PID 3276 wrote to memory of 412 3276 Explorer.EXE 116 PID 3276 wrote to memory of 412 3276 Explorer.EXE 116 PID 3276 wrote to memory of 412 3276 Explorer.EXE 116 PID 3024 wrote to memory of 1456 3024 OV6MR7Yw.exe 117 PID 3024 wrote to memory of 1456 3024 OV6MR7Yw.exe 117 PID 3024 wrote to memory of 1456 3024 OV6MR7Yw.exe 117 PID 1456 wrote to memory of 408 1456 bf6Dw9Ui.exe 121 PID 1456 wrote to memory of 408 1456 bf6Dw9Ui.exe 121 PID 1456 wrote to memory of 408 1456 bf6Dw9Ui.exe 121 PID 3276 wrote to memory of 4180 3276 Explorer.EXE 120 PID 3276 wrote to memory of 4180 3276 Explorer.EXE 120 PID 3276 wrote to memory of 4180 3276 Explorer.EXE 120 PID 408 wrote to memory of 4420 408 fZ8WR0am.exe 119 PID 408 wrote to memory of 4420 408 fZ8WR0am.exe 119 PID 408 wrote to memory of 4420 408 fZ8WR0am.exe 119 PID 4420 wrote to memory of 4556 4420 bt4xT1rz.exe 118 PID 4420 wrote to memory of 4556 4420 bt4xT1rz.exe 118 PID 4420 wrote to memory of 4556 4420 bt4xT1rz.exe 118 PID 3276 wrote to memory of 4112 3276 Explorer.EXE 122 PID 3276 wrote to memory of 4112 3276 Explorer.EXE 122 PID 3276 wrote to memory of 4112 3276 Explorer.EXE 122 PID 3276 wrote to memory of 4968 3276 Explorer.EXE 123 PID 3276 wrote to memory of 4968 3276 Explorer.EXE 123 PID 412 wrote to memory of 1264 412 BDB3.exe 124 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7002600.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7002600.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4248824.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4248824.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:4104
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 5965⤵
- Program crash
PID:4828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0070557.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0070557.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 5406⤵
- Program crash
PID:4984
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 5925⤵
- Program crash
PID:4268
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3174991.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3174991.exe3⤵
- Executes dropped EXE
PID:3412
-
-
-
C:\Users\Admin\AppData\Local\Temp\BC3B.exeC:\Users\Admin\AppData\Local\Temp\BC3B.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OV6MR7Yw.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bf6Dw9Ui.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fZ8WR0am.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BDB3.exeC:\Users\Admin\AppData\Local\Temp\BDB3.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1264
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 3883⤵
- Program crash
PID:1764
-
-
-
C:\Users\Admin\AppData\Local\Temp\BE70.bat"C:\Users\Admin\AppData\Local\Temp\BE70.bat"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4180 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BF29.tmp\BF2A.tmp\BF2B.bat C:\Users\Admin\AppData\Local\Temp\BE70.bat"3⤵PID:896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcb7d646f8,0x7ffcb7d64708,0x7ffcb7d647185⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:35⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:85⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:15⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:15⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:15⤵PID:1056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:15⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:85⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:85⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:15⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,17379792745033018601,3670503205730632500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:15⤵PID:4132
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵PID:3892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb7d646f8,0x7ffcb7d64708,0x7ffcb7d647185⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,14409302533745690786,6417268553264828739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵PID:2504
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C055.exeC:\Users\Admin\AppData\Local\Temp\C055.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 4043⤵
- Program crash
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\C141.exeC:\Users\Admin\AppData\Local\Temp\C141.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\C27A.exeC:\Users\Admin\AppData\Local\Temp\C27A.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:3448
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵PID:2144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2200
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:2940
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:2408
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4324
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:2572
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:3696
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F9A8.exeC:\Users\Admin\AppData\Local\Temp\F9A8.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5248 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5576
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:5304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:464
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2536
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1764
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5256
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5780
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:4572
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5028 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:464
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:1620
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1460
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:5816 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5856
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5812
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:6012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵
- Executes dropped EXE
PID:5416 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵PID:2536
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵PID:2480
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\source1.exe"C:\Users\Admin\AppData\Local\Temp\source1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵PID:5136
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:5436
-
-
-
C:\Users\Admin\AppData\Local\Temp\25F9.exeC:\Users\Admin\AppData\Local\Temp\25F9.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 7923⤵
- Program crash
PID:4576
-
-
-
C:\Users\Admin\AppData\Local\Temp\28B9.exeC:\Users\Admin\AppData\Local\Temp\28B9.exe2⤵
- Executes dropped EXE
PID:6076
-
-
C:\Users\Admin\AppData\Local\Temp\2BD7.exeC:\Users\Admin\AppData\Local\Temp\2BD7.exe2⤵
- Executes dropped EXE
PID:1900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:3508
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:392
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:5756
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3208
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5856
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:5884
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5892
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:6060
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:5980
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:6096
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:6088
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:6140
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2176
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5000
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3940
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:5964
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5508
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4488
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:392
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:6060
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:5272
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5376
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3132
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4652
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:5356
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5636
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:5268
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies data under HKEY_USERS
PID:2152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4504 -ip 45041⤵PID:4772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1172 -ip 11721⤵PID:3588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3104 -ip 31041⤵PID:4768
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1DQ73CJ8.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 5403⤵
- Program crash
PID:4392
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 5802⤵
- Program crash
PID:2184
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bt4xT1rz.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2BY150Kr.exe2⤵
- Executes dropped EXE
PID:1424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 412 -ip 4121⤵PID:756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4556 -ip 45561⤵PID:4268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4480 -ip 44801⤵PID:2284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4112 -ip 41121⤵PID:2680
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1208
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6000 -ip 60001⤵PID:5172
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:5612
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6028
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:1428
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc1545f40e709a9447a266260fdc751e
SHA18afed6d761fb82c918c1d95481170a12fe94af51
SHA2563dadfc7e0bd965d4d61db057861a84761abf6af17b17250e32b7450c1ddc4d48
SHA512ed0ae5280736022a9ef6c5878bf3750c2c5473cc122a4511d3fb75eb6188a2c3931c8fa1eaa01203a7748f323ed73c0d2eb4357ac230d14b65d18ac2727d020f
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD5aa854a70677d9d716faa26f65ac0affc
SHA170a2be39e1e03af4da68d0b5dc9ef9be7661a733
SHA25655300aa59e2692a9cb8af30815edc4de1099f8e6ee1f53d2bb97902674ca140c
SHA5124e88c0dfe73c235065a938d5eebee7c7b672f76c8099bf782ba8dee2adf9cded0dc74f0424bd4f2aaf6fa4a693bec7ca6b691e7075a2bcca8040a9f3d568bc93
-
Filesize
5KB
MD55c2bc05d112af6c85920a02ccb3fedf9
SHA11632f92047fb97fe09ef0eaa27f9e0b0c91d0bab
SHA25647e22bc13cf482eb61fcc4d176b34fedfef22c807de3e4a0ca978988e2e5cfc2
SHA51205e60ac8fc2d72e9666082c182b7a7ee08b19ae58d3a8cf88b18381477be0719a5496ab471e4fc387c3387bcb1d9aa1e671224f6098913d76bc18740676e2a9c
-
Filesize
24KB
MD515ad31a14e9a92d2937174141e80c28d
SHA1b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296
-
Filesize
864B
MD540005a04d6d19143dbed8a28b523a160
SHA13863f6cf0b5e3e6f7caa5a581af72e4b583161c7
SHA256e227d23e0604ccb7c0a2506de05df44dcbd479348d8b65c05f1972f4baf16f0d
SHA5120d1776eb56ffcd214936e4d5d8b8b3dfad93f278e166a4062df860de572449bca5a0a2c395960e62f1cfe411e3ae44c79eb80c47d82ec212fed9d861e75d3a81
-
Filesize
862B
MD50c88e9853542220d8d62ce396425eb5c
SHA18a32be91a49eb841ff9ecfed5281af234d028947
SHA2564f789a71e27aecf5229b8abb066b18ec2308c865c2905c2abb775f1bcfecd905
SHA5126540120bdf8db26344e3b990e46bf21f4bf0cf8a8684adfde2d16a2a856f7e997f41714a8f40ea8adf65713c0ec0b38a53f69f48684405808194a09335323bff
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD55519283ebc50f3f286f4951b937d554b
SHA18c63e981b354b8dd77899838bad0512678395eb9
SHA25606c1d80f86c72fe7a04c33b87086a02cf467f40ea68a7147c4d535c08073b654
SHA5121e676fc94370095ab4f92b9071f400b0b229656bff42dd6aeeb4ec99b97b7011169cfb1b5d628d9a1322bf39b0599417035c60fa6a6e53b18c3065e22156dff6
-
Filesize
10KB
MD514add8ed71ccd3dcdbc656650c2d98d9
SHA1f0be7442375c9d7e5abe2725024f776a479abef9
SHA256c4dcf570679580f48c1d76e242d23bf4a83b12b1d9640f3376673dc9321824ca
SHA51246ea02c8806dd6bfa5d88ef34b3d035303ded003fc0fad8f253e2301cf374e0dd7f6adff74f8a7622e0afc723b0485259cd4f444674da9b45b0ad517f2efae46
-
Filesize
2KB
MD53e13d3eae7a655a1906282479562e56a
SHA1830b4e50d52aa4886926e781ab8b113db48d1fa3
SHA2568ec4883a515bf875974ee387b37997a3fa8bcbfbeddbe63073cb0cc7513e3d9d
SHA512dbcadfb1f4c9552da37003eba61aaff315308fe912f1c0763b70beb4361504df6c403bf7ddd678697f56d2b6e0a6e3753617270df9dc1fb24f9676107eb69882
-
Filesize
2KB
MD53e13d3eae7a655a1906282479562e56a
SHA1830b4e50d52aa4886926e781ab8b113db48d1fa3
SHA2568ec4883a515bf875974ee387b37997a3fa8bcbfbeddbe63073cb0cc7513e3d9d
SHA512dbcadfb1f4c9552da37003eba61aaff315308fe912f1c0763b70beb4361504df6c403bf7ddd678697f56d2b6e0a6e3753617270df9dc1fb24f9676107eb69882
-
Filesize
429KB
MD521b738f4b6e53e6d210996fa6ba6cc69
SHA13421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA2563b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81
-
Filesize
429KB
MD521b738f4b6e53e6d210996fa6ba6cc69
SHA13421aceeaa8f9f53169ae8af4f50f0d9d2c03f41
SHA2563b1af64f9747985b3b79a7ce39c6625b43e562227dc2f96758118b2acb3e5e58
SHA512f766a972fde598399091a82fc8db8d9edd25a9a5f9e5a0568769632091605eeb47bf3b44b69d37d51c1c7ab8be89cd4fb4846a5f06d719db885a35e049f1eb81
-
Filesize
4.2MB
MD5aa6f521d78f6e9101a1a99f8bfdfbf08
SHA181abd59d8275c1a1d35933f76282b411310323be
SHA2563d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA51243ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153
-
Filesize
4.2MB
MD5aa6f521d78f6e9101a1a99f8bfdfbf08
SHA181abd59d8275c1a1d35933f76282b411310323be
SHA2563d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA51243ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153
-
Filesize
4.2MB
MD5aa6f521d78f6e9101a1a99f8bfdfbf08
SHA181abd59d8275c1a1d35933f76282b411310323be
SHA2563d5c0be6aafffa6324a44619131ff8994b0b59856dedf444ced072cae1ebc39d
SHA51243ce4ad2d8295880ca1560c7a14cff89f2dfa70942d7679faae417f58177f63ae436604bbe914bd8fbbaedfb992ab6da4637af907e2b28696be53843d7ed8153
-
Filesize
1.2MB
MD5d295489cc7f06e3229a08715c3d73814
SHA10fd98d23821878adace03323948a2c2718222ffd
SHA256b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451
-
Filesize
1.2MB
MD5d295489cc7f06e3229a08715c3d73814
SHA10fd98d23821878adace03323948a2c2718222ffd
SHA256b3b7fcec7c3996c4124f5bdba514b32124a8ab446ac00dea435b60b1f7e88769
SHA512314d280da49ebd98c99217551f5262037866f73c11a7477c729364ede03dafd3a5615671925b2826354d5e8a5dcb3dea73f38519ff5bed642c1428224461d451
-
Filesize
447KB
MD50fdc61c9202e2d8f7865ea1f055d328e
SHA1bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA51279cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2
-
Filesize
447KB
MD50fdc61c9202e2d8f7865ea1f055d328e
SHA1bb2ec64387e9a675ac7f97236e54ef6b4e9481e0
SHA256650a8a6512a47f0224509df2a3431891504f0b796ec26f9f454710d0386fcfee
SHA51279cb141673b4ed50a0fbfa7aa96bc39a62d5ef72d5809085ab6e798cc5a1ae0c467939ac29fcb148a259f1ef32288dfd8b3fc08ff14dba390c20ca0577e099d2
-
Filesize
97KB
MD59db53ae9e8af72f18e08c8b8955f8035
SHA150ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA5123cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1
-
Filesize
97KB
MD59db53ae9e8af72f18e08c8b8955f8035
SHA150ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA5123cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1
-
Filesize
97KB
MD59db53ae9e8af72f18e08c8b8955f8035
SHA150ae5f80c1246733d54db98fac07380b1b2ff90d
SHA256d1d32c30e132d6348bd8e8baff51d1b706e78204b7f5775874946a7019a92b89
SHA5123cfb3104befbb5d60b5844e3841bf7c61baed8671191cfc42e0666c6ce92412ab235c70be718f52cfbd0e338c9f6f04508e0fd07b30f9bbda389e2e649c199d1
-
Filesize
88B
MD50ec04fde104330459c151848382806e8
SHA13b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA2561ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA5128b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40
-
Filesize
486KB
MD5f4162995f2f22651e9b42938e71047d3
SHA103b5192eeaffac0376303f7b30eea43a5291374f
SHA256c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da
-
Filesize
486KB
MD5f4162995f2f22651e9b42938e71047d3
SHA103b5192eeaffac0376303f7b30eea43a5291374f
SHA256c3132cfa55991968855a0cf18ae5a21ce54c9b1b5f7c6cc0bc1bf35d09601cae
SHA512b30e3aa2d4651e6ec2af1e3e9481e9ce520a4938fdfee82004f9db6f8b1c2e71c9031eb009c2c31cfed62f660127f76ffeb65682170b36032b0969bbc2a638da
-
Filesize
21KB
MD557543bf9a439bf01773d3d508a221fda
SHA15728a0b9f1856aa5183d15ba00774428be720c35
SHA25670d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA51228f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20
-
Filesize
21KB
MD557543bf9a439bf01773d3d508a221fda
SHA15728a0b9f1856aa5183d15ba00774428be720c35
SHA25670d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA51228f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
15.1MB
MD51f353056dfcf60d0c62d87b84f0a5e3f
SHA1c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA51284b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d
-
Filesize
15.1MB
MD51f353056dfcf60d0c62d87b84f0a5e3f
SHA1c71a24f90d3ca5a4e26ad8c58db1fc078a75a8f0
SHA256f30654f4b2b72d4143616a3c2bb3b94b78a9726868b3dfa302ba36892e889d0e
SHA51284b13853a888d1c7fb7ffbe0885fc7fe66237e46234ee0b95ba4fc31c14d94e8f7c7506d42fa70aab1b2c4aa744bd8043048c0e6ae75dd31da7c3089b0c0599d
-
Filesize
1.1MB
MD5dd4c372db3be58e4d24842acc2dbfbc3
SHA1d6e4743b75bea2b721c72880a4c127e003644b66
SHA256f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736
-
Filesize
1.1MB
MD5dd4c372db3be58e4d24842acc2dbfbc3
SHA1d6e4743b75bea2b721c72880a4c127e003644b66
SHA256f56c58adfd5437d8b506a20e1d68d70be912b5c6966c39bbec9176fa7f1ea525
SHA512e1b2602de975c130742f24c46a23d555ff98bce0736507008194ab0824c5838f62546fcb2e5646f5d31cae74e4aa63f0b1a0cdbf7c770ea8f0dfe86f94a94736
-
Filesize
23KB
MD594e30371720c4c72acd9bf801919e1c2
SHA1a4392568d25ea2bfcb5ec81dcf79b1c63a6ed56e
SHA256c1bae77fdec5cc0fe99a7aca5f784c915b05f4d2409bced6c4645d8f418225e7
SHA512afff6e83e127b915479f3b623b77576b28ec4e30bb82225af3c22162d451584bc4ff2160fa74d3395279113c01436b406c3c3d365337eabe52f1d93658215ad2
-
Filesize
23KB
MD594e30371720c4c72acd9bf801919e1c2
SHA1a4392568d25ea2bfcb5ec81dcf79b1c63a6ed56e
SHA256c1bae77fdec5cc0fe99a7aca5f784c915b05f4d2409bced6c4645d8f418225e7
SHA512afff6e83e127b915479f3b623b77576b28ec4e30bb82225af3c22162d451584bc4ff2160fa74d3395279113c01436b406c3c3d365337eabe52f1d93658215ad2
-
Filesize
325KB
MD5d54e8d7604a377a7365eb2a9938e5bb3
SHA14b8b2b99a9686aaafe0573274abd942d39dd9a2b
SHA25620beb8fbb0bfad1b4e83c8963f8faa13a0ae6c1cc9c2abc88784ed0dd4639be8
SHA5128bf8aafc8d390d8759b64119921367e8f4a0fae6b88c5d08ba38a6b6eed14bd53c501d412b5afe2b66f9774f7020c3d4d1ca38130f13748314c0ee19cc132884
-
Filesize
325KB
MD5d54e8d7604a377a7365eb2a9938e5bb3
SHA14b8b2b99a9686aaafe0573274abd942d39dd9a2b
SHA25620beb8fbb0bfad1b4e83c8963f8faa13a0ae6c1cc9c2abc88784ed0dd4639be8
SHA5128bf8aafc8d390d8759b64119921367e8f4a0fae6b88c5d08ba38a6b6eed14bd53c501d412b5afe2b66f9774f7020c3d4d1ca38130f13748314c0ee19cc132884
-
Filesize
166KB
MD59609b09ea71e8b93a28952593162aa93
SHA1e1398b8d3cd91362d17488098858528d348a35e5
SHA256d5063fedba3cd823ad9a1564da01554e540234f5d79435ef0f752c6029c490d1
SHA512c688e5b24eb1add31b61fd605eefd67db66ab4bf7a9a77cd1d1d1fec3923459ace509aa22efe60d4a1723d663b52780a2b5737653538dcbc1353b388b6888c80
-
Filesize
166KB
MD59609b09ea71e8b93a28952593162aa93
SHA1e1398b8d3cd91362d17488098858528d348a35e5
SHA256d5063fedba3cd823ad9a1564da01554e540234f5d79435ef0f752c6029c490d1
SHA512c688e5b24eb1add31b61fd605eefd67db66ab4bf7a9a77cd1d1d1fec3923459ace509aa22efe60d4a1723d663b52780a2b5737653538dcbc1353b388b6888c80
-
Filesize
276KB
MD53b4617d8e722eeae67c5b174df6ff59a
SHA1ffad2475bf599b6f0f704933d89771b5c814c2ec
SHA25689fbdcca93d6465f3446a9d4d72bfcae3780e4b6b4d3e38fb3cf82856501977c
SHA512ba402f56b0667d6755b7601fa5f087c03136b1f13439fede3b1ae6a8c751abcac79422d3f7855955da345bf6451f24cf74b7b6ddd3387b93da2a9b089f2aa8d1
-
Filesize
276KB
MD53b4617d8e722eeae67c5b174df6ff59a
SHA1ffad2475bf599b6f0f704933d89771b5c814c2ec
SHA25689fbdcca93d6465f3446a9d4d72bfcae3780e4b6b4d3e38fb3cf82856501977c
SHA512ba402f56b0667d6755b7601fa5f087c03136b1f13439fede3b1ae6a8c751abcac79422d3f7855955da345bf6451f24cf74b7b6ddd3387b93da2a9b089f2aa8d1
-
Filesize
948KB
MD5e1367690e04fa399fc946b2fe702bab4
SHA1058ea9fb9eef1090122de02162a02f246d6458b7
SHA25643ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA5128d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82
-
Filesize
948KB
MD5e1367690e04fa399fc946b2fe702bab4
SHA1058ea9fb9eef1090122de02162a02f246d6458b7
SHA25643ea5ce8fba611a2a318a3ea1a72b967b8c22f043750417f3ce96d19bc7e9def
SHA5128d711cc38a078d565cb2b274b6d02f3a46b7308581c097815aa150463d4afdcb05a63682f2879f47408ed2d64b56c2d07eca544d68439de55931b57bfc76cf82
-
Filesize
647KB
MD5229460cb3bfdf00106201da676025b70
SHA1f1563e54acb60599642afbd29f285fc5fa110832
SHA2562a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260
-
Filesize
647KB
MD5229460cb3bfdf00106201da676025b70
SHA1f1563e54acb60599642afbd29f285fc5fa110832
SHA2562a511f540ed48dab195ee1cef4af0c43402e820018599738619aa216f60481d5
SHA512906fdd66b699af5c7ea50a55c5e3e0d34d8e8af0cfd621f3c3529e17530b5cd20036b0d98f901104bed7fefc85d18eadc01423773da56e90d78de9b6958e6260
-
Filesize
451KB
MD5ca64d1eb04ed701f6dba83c59e2d9c74
SHA15d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA2567ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA5125dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56
-
Filesize
451KB
MD5ca64d1eb04ed701f6dba83c59e2d9c74
SHA15d0dc63a595be906c61cbf883d6f5fd77f43cfe0
SHA2567ec2847220fe2b2179da8490559a74bf3684499dca65f95ee4a9761cd28cffc6
SHA5125dd62405a78159df8f7b3ad93312636108a98c002706f96b1c7b5c9ac4362886e186a261ba8e268c261be2b9a689149c50d440cd7d93d2b282e3b22a9c1a9e56
-
Filesize
449KB
MD5a1ff303dc93f70bf1375da6e507e57a4
SHA149b21e743d4447c206be7a7cf8b334c052521be6
SHA25607176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c
-
Filesize
449KB
MD5a1ff303dc93f70bf1375da6e507e57a4
SHA149b21e743d4447c206be7a7cf8b334c052521be6
SHA25607176cbd72fd196cdf52f4475454a77f7d57678b0e0eebe3223242e294af17cb
SHA512f3c9c041cc842c700eadc5e17e942f1a543d07887ffdd5895148855e006aea10071397b347e6ca637bf2067810ae3245cd75a23296ba135bfa0233b8ba0ef70c
-
Filesize
222KB
MD5a5c03e1930922b2d7e2a805ade98b4f6
SHA1e9c0858f113b9bdb692c22302b8706db997edf64
SHA256802a6976ed48f18b8dc51a20e6857e88c6da2e6e35c86f72cde9561de413e982
SHA51268b196584a7f28a9db8f1a7228dab642295a283b085cdcbdad685e0537dd0c963a6761ad35d05bb3faaceb027ce54b9b1f60016a8b36239a291578ce42e6322b
-
Filesize
222KB
MD5a5c03e1930922b2d7e2a805ade98b4f6
SHA1e9c0858f113b9bdb692c22302b8706db997edf64
SHA256802a6976ed48f18b8dc51a20e6857e88c6da2e6e35c86f72cde9561de413e982
SHA51268b196584a7f28a9db8f1a7228dab642295a283b085cdcbdad685e0537dd0c963a6761ad35d05bb3faaceb027ce54b9b1f60016a8b36239a291578ce42e6322b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
229KB
MD578e5bc5b95cf1717fc889f1871f5daf6
SHA165169a87dd4a0121cd84c9094d58686be468a74a
SHA2567d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.1MB
MD5e082a92a00272a3c1cd4b0de30967a79
SHA116c391acf0f8c637d36a93e217591d8319e3f041
SHA256eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA51226b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288
-
Filesize
5.1MB
MD5e082a92a00272a3c1cd4b0de30967a79
SHA116c391acf0f8c637d36a93e217591d8319e3f041
SHA256eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA51226b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288
-
Filesize
5.1MB
MD5e082a92a00272a3c1cd4b0de30967a79
SHA116c391acf0f8c637d36a93e217591d8319e3f041
SHA256eb318c91e0a9f49ad218298a13f7d8981e6ab145097107e5316d857943bc1cdc
SHA51226b77179a46e1a72dab0cfa99e030133e99057d10e14a36ed3ef4935e7778b0f6505bad43b14523275e7dc5937bb2f5f7c650cb7ec6e7012cbbe874e52c15288
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
92KB
MD502f8652ecec423d1ebd72ff3863579fe
SHA1d9772bd7f3978dc302b44216d2e3a2d62e0b0544
SHA25637c53e07bac027475dbc6122b2e105a431effa21c8e554f5c44e8652c8fa84b9
SHA512c319907b9f0e8606e783a7f782c0d4241c3aedf5b783961c77f72feee94709c080569979ac5c005bc35aba65e9a4f1e37d658f4baac44b114b4c5234900c47a9
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
294KB
MD5b44f3ea702caf5fba20474d4678e67f6
SHA1d33da22fcd5674123807aaf01123d49a69901e33
SHA2566b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3
-
Filesize
294KB
MD5b44f3ea702caf5fba20474d4678e67f6
SHA1d33da22fcd5674123807aaf01123d49a69901e33
SHA2566b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3
-
Filesize
294KB
MD5b44f3ea702caf5fba20474d4678e67f6
SHA1d33da22fcd5674123807aaf01123d49a69901e33
SHA2566b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3
-
Filesize
294KB
MD5b44f3ea702caf5fba20474d4678e67f6
SHA1d33da22fcd5674123807aaf01123d49a69901e33
SHA2566b066c420ab228bf788f1abda2911eefbb89834640e64d8d6b4f14cb963e4eb8
SHA512ed0dcd43d8bb8bab253daaf069353d1c720aa13217230d643e2c056089d56753aa4df5ee478833f716e248277c2553e81ae9c21f0f1502fdaf5bbac726d2a0c3
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9