Analysis
-
max time kernel
132s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2023 04:35
Static task
static1
Behavioral task
behavioral1
Sample
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe
Resource
win10v2004-20230915-en
General
-
Target
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe
-
Size
1.4MB
-
MD5
1b774c1a9710577583b00fb4049415e3
-
SHA1
3996022f28d832cf68b00e0c2b24a8db031fcc3b
-
SHA256
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9
-
SHA512
7a47e92c3439a25df8e03910adb8a5fa84a8abb87622d9ddeee6caefd2090ef2dd181872f13d4b1df64222aeaf5355fd1c83ffd1c562c7c5eb530ef836512504
-
SSDEEP
24576:3e1RCDg+rnLYiMVuMSRSkDRelY9rbXwd+Ntcnl9ibSL0DcUTOjISXR+Bw16G:u1RCDgcnLYiMeeY9PXw4NWnHibY0D1Tc
Malware Config
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
monik
77.91.124.82:19071
-
auth_value
da7d9ea0878f5901f1f8319d34bdccea
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
AppLaunch.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe 3240 schtasks.exe 572 schtasks.exe 5488 schtasks.exe 3808 schtasks.exe 2668 schtasks.exe -
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2824-44-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2824-45-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2824-46-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/2824-48-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2608-39-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/244-409-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/244-499-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
Processes:
AppLaunch.exe274E.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 274E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 274E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 274E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 274E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 274E.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 16 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe family_redline C:\Users\Admin\AppData\Local\Temp\176E.exe family_redline C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe family_redline C:\Users\Admin\AppData\Local\Temp\176E.exe family_redline behavioral2/memory/3768-161-0x00000000006F0000-0x000000000072E000-memory.dmp family_redline behavioral2/memory/3764-159-0x0000000000B50000-0x0000000000B8E000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\35D7.exe family_redline C:\Users\Admin\AppData\Local\Temp\37FB.exe family_redline C:\Users\Admin\AppData\Local\Temp\35D7.exe family_redline C:\Users\Admin\AppData\Local\Temp\37FB.exe family_redline behavioral2/memory/1156-222-0x0000000000BC0000-0x0000000000C1A000-memory.dmp family_redline behavioral2/memory/256-220-0x00000000006A0000-0x00000000006BE000-memory.dmp family_redline behavioral2/memory/3900-219-0x0000000001FB0000-0x000000000200A000-memory.dmp family_redline behavioral2/memory/2976-287-0x0000000000180000-0x00000000001BE000-memory.dmp family_redline behavioral2/memory/5040-286-0x00000000006C0000-0x00000000007DB000-memory.dmp family_redline behavioral2/memory/5040-304-0x00000000006C0000-0x00000000007DB000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\35D7.exe family_sectoprat C:\Users\Admin\AppData\Local\Temp\35D7.exe family_sectoprat behavioral2/memory/256-220-0x00000000006A0000-0x00000000006BE000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
.NET Reactor proctector 22 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/3388-169-0x00000000022B0000-0x00000000022D0000-memory.dmp net_reactor behavioral2/memory/3388-177-0x00000000024C0000-0x00000000024DE000-memory.dmp net_reactor behavioral2/memory/3768-179-0x0000000007760000-0x0000000007770000-memory.dmp net_reactor behavioral2/memory/3388-184-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-185-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-187-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-189-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-194-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-198-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-200-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-202-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-212-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-215-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-221-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-227-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-231-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-239-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-236-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-242-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-245-0x00000000024C0000-0x00000000024D8000-memory.dmp net_reactor behavioral2/memory/3388-285-0x0000000004AB0000-0x0000000004AC0000-memory.dmp net_reactor behavioral2/memory/1156-345-0x0000000007BC0000-0x0000000007BD0000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
legota.exe59ED.exeoneetx.exet0207357.exeexplonde.exew0224163.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation 59ED.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation t0207357.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation explonde.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation w0224163.exe -
Executes dropped EXE 41 IoCs
Processes:
z3017880.exez0698584.exez1668858.exez4005176.exeq8376205.exer0936516.exes1802947.exet0207357.exeexplonde.exeu6524727.exew0224163.exelegota.exe123B.exeRy5oa5OS.exe14DC.exeUv0XA3vI.exeRW2He0AD.exect2Fd0Ko.exe1fY68mQ1.exe2xK602dY.exe176E.exe274E.exe29FE.exe2E06.exe35D7.exe37FB.exe40A7.exe59ED.exe5CFB.exe31839b57a4f11171d6abc8bbc4451ee4.execacls.exe6568.exe6828.exeoneetx.exelegota.exepowershell.exeexplonde.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeinjector.exewindefender.exepid process 1580 z3017880.exe 2184 z0698584.exe 2852 z1668858.exe 4556 z4005176.exe 4936 q8376205.exe 60 r0936516.exe 5076 s1802947.exe 3900 t0207357.exe 5108 explonde.exe 2264 u6524727.exe 4964 w0224163.exe 3684 legota.exe 3216 123B.exe 3280 Ry5oa5OS.exe 2384 14DC.exe 4100 Uv0XA3vI.exe 2212 RW2He0AD.exe 2004 ct2Fd0Ko.exe 2928 1fY68mQ1.exe 3764 2xK602dY.exe 3768 176E.exe 3388 274E.exe 4404 29FE.exe 3900 2E06.exe 256 35D7.exe 1156 37FB.exe 5040 40A7.exe 412 59ED.exe 4216 5CFB.exe 244 31839b57a4f11171d6abc8bbc4451ee4.exe 2596 cacls.exe 3964 6568.exe 4336 6828.exe 2700 oneetx.exe 4372 legota.exe 5124 powershell.exe 900 explonde.exe 4144 31839b57a4f11171d6abc8bbc4451ee4.exe 5224 csrss.exe 5044 injector.exe 4720 windefender.exe -
Loads dropped DLL 4 IoCs
Processes:
2E06.exerundll32.exerundll32.exepid process 3900 2E06.exe 3900 2E06.exe 5808 rundll32.exe 6076 rundll32.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Processes:
274E.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 274E.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
Processes:
AppLaunch.exez0698584.exez1668858.exe6828.execsrss.exe123B.exect2Fd0Ko.exez3017880.exeRy5oa5OS.exeRW2He0AD.exe31839b57a4f11171d6abc8bbc4451ee4.exez4005176.exeUv0XA3vI.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z0698584.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z1668858.exe Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\6828.exe'\"" 6828.exe Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 123B.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ct2Fd0Ko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z3017880.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ry5oa5OS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" RW2He0AD.exe Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z4005176.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Uv0XA3vI.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exeq8376205.exer0936516.exes1802947.exeu6524727.exe40A7.exedescription pid process target process PID 928 set thread context of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 4936 set thread context of 2608 4936 q8376205.exe AppLaunch.exe PID 60 set thread context of 2824 60 r0936516.exe AppLaunch.exe PID 5076 set thread context of 1060 5076 s1802947.exe AppLaunch.exe PID 2264 set thread context of 3000 2264 u6524727.exe AppLaunch.exe PID 5040 set thread context of 2976 5040 40A7.exe vbc.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
31839b57a4f11171d6abc8bbc4451ee4.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Windows directory 4 IoCs
Processes:
csrss.exe31839b57a4f11171d6abc8bbc4451ee4.exedescription ioc process File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 4388 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3932 2824 WerFault.exe AppLaunch.exe 3392 3900 WerFault.exe 2E06.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3808 schtasks.exe 2668 schtasks.exe 572 schtasks.exe 5488 schtasks.exe 3240 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 2608 AppLaunch.exe 2608 AppLaunch.exe 1060 AppLaunch.exe 1060 AppLaunch.exe 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 3244 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3244 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
AppLaunch.exepid process 1060 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AppLaunch.exe274E.exe35D7.exe37FB.exe5CFB.exedescription pid process Token: SeDebugPrivilege 2608 AppLaunch.exe Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeDebugPrivilege 3388 274E.exe Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeDebugPrivilege 256 35D7.exe Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeDebugPrivilege 1156 37FB.exe Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeShutdownPrivilege 3244 Token: SeCreatePagefilePrivilege 3244 Token: SeDebugPrivilege 4216 5CFB.exe Token: SeShutdownPrivilege 3244 -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.execacls.exepid process 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 2596 cacls.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3244 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exeAppLaunch.exez3017880.exez0698584.exez1668858.exez4005176.exeq8376205.exer0936516.exes1802947.exet0207357.exedescription pid process target process PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 928 wrote to memory of 692 928 fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe AppLaunch.exe PID 692 wrote to memory of 1580 692 AppLaunch.exe z3017880.exe PID 692 wrote to memory of 1580 692 AppLaunch.exe z3017880.exe PID 692 wrote to memory of 1580 692 AppLaunch.exe z3017880.exe PID 1580 wrote to memory of 2184 1580 z3017880.exe z0698584.exe PID 1580 wrote to memory of 2184 1580 z3017880.exe z0698584.exe PID 1580 wrote to memory of 2184 1580 z3017880.exe z0698584.exe PID 2184 wrote to memory of 2852 2184 z0698584.exe z1668858.exe PID 2184 wrote to memory of 2852 2184 z0698584.exe z1668858.exe PID 2184 wrote to memory of 2852 2184 z0698584.exe z1668858.exe PID 2852 wrote to memory of 4556 2852 z1668858.exe z4005176.exe PID 2852 wrote to memory of 4556 2852 z1668858.exe z4005176.exe PID 2852 wrote to memory of 4556 2852 z1668858.exe z4005176.exe PID 4556 wrote to memory of 4936 4556 z4005176.exe q8376205.exe PID 4556 wrote to memory of 4936 4556 z4005176.exe q8376205.exe PID 4556 wrote to memory of 4936 4556 z4005176.exe q8376205.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4936 wrote to memory of 2608 4936 q8376205.exe AppLaunch.exe PID 4556 wrote to memory of 60 4556 z4005176.exe r0936516.exe PID 4556 wrote to memory of 60 4556 z4005176.exe r0936516.exe PID 4556 wrote to memory of 60 4556 z4005176.exe r0936516.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 60 wrote to memory of 2824 60 r0936516.exe AppLaunch.exe PID 2852 wrote to memory of 5076 2852 z1668858.exe s1802947.exe PID 2852 wrote to memory of 5076 2852 z1668858.exe s1802947.exe PID 2852 wrote to memory of 5076 2852 z1668858.exe s1802947.exe PID 5076 wrote to memory of 3952 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 3952 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 3952 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 5076 wrote to memory of 1060 5076 s1802947.exe AppLaunch.exe PID 2184 wrote to memory of 3900 2184 z0698584.exe t0207357.exe PID 2184 wrote to memory of 3900 2184 z0698584.exe t0207357.exe PID 2184 wrote to memory of 3900 2184 z0698584.exe t0207357.exe PID 3900 wrote to memory of 5108 3900 t0207357.exe explonde.exe PID 3900 wrote to memory of 5108 3900 t0207357.exe explonde.exe PID 3900 wrote to memory of 5108 3900 t0207357.exe explonde.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe"C:\Users\Admin\AppData\Local\Temp\fb2be4e90de2e51f3bf87f914777af986567711b2dcb3329bca2f4c5bfb573b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3017880.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0698584.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1668858.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4005176.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8376205.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0936516.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:2824
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 5409⤵
- Program crash
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1802947.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3952
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0207357.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5108 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
PID:3240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵PID:2280
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4748
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵PID:4644
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:648
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:2936
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:3200
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:5808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6524727.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0224163.exe3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4964 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- DcRat
- Creates scheduled task(s)
PID:3808 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵PID:4616
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵PID:3476
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4620
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵PID:3316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:3104
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵PID:4956
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵PID:2580
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
PID:6076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2824 -ip 28241⤵PID:404
-
C:\Users\Admin\AppData\Local\Temp\123B.exeC:\Users\Admin\AppData\Local\Temp\123B.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ry5oa5OS.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Uv0XA3vI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4100 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RW2He0AD.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ct2Fd0Ko.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fY68mQ1.exe6⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2xK602dY.exe6⤵
- Executes dropped EXE
PID:3764
-
C:\Users\Admin\AppData\Local\Temp\14DC.exeC:\Users\Admin\AppData\Local\Temp\14DC.exe1⤵
- Executes dropped EXE
PID:2384
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1615.bat" "1⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff080446f8,0x7fff08044708,0x7fff080447183⤵PID:2072
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:33⤵PID:1316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵PID:2528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:83⤵PID:2500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:13⤵PID:2416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:3320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:13⤵PID:2092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵PID:432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:13⤵PID:2828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:13⤵PID:1116
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:83⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,8394237466055925305,11974248396442996792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:83⤵PID:5824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:4928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff080446f8,0x7fff08044708,0x7fff080447183⤵PID:3948
-
C:\Users\Admin\AppData\Local\Temp\176E.exeC:\Users\Admin\AppData\Local\Temp\176E.exe1⤵
- Executes dropped EXE
PID:3768
-
C:\Users\Admin\AppData\Local\Temp\274E.exeC:\Users\Admin\AppData\Local\Temp\274E.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
C:\Users\Admin\AppData\Local\Temp\29FE.exeC:\Users\Admin\AppData\Local\Temp\29FE.exe1⤵
- Executes dropped EXE
PID:4404
-
C:\Users\Admin\AppData\Local\Temp\2E06.exeC:\Users\Admin\AppData\Local\Temp\2E06.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 8042⤵
- Program crash
PID:3392
-
C:\Users\Admin\AppData\Local\Temp\35D7.exeC:\Users\Admin\AppData\Local\Temp\35D7.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:256
-
C:\Users\Admin\AppData\Local\Temp\37FB.exeC:\Users\Admin\AppData\Local\Temp\37FB.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3900 -ip 39001⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\40A7.exeC:\Users\Admin\AppData\Local\Temp\40A7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2976
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1616
-
C:\Users\Admin\AppData\Local\Temp\59ED.exeC:\Users\Admin\AppData\Local\Temp\59ED.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:412 -
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5260
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5416 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2016
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4748 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:5224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5124 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:572 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3236
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4664 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4944 -
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:5488 -
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:4720 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:1624
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"2⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:2668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit4⤵PID:4960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4104
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:4372
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4580
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"5⤵PID:2068
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E5⤵PID:5136
-
C:\Users\Admin\AppData\Local\Temp\5CFB.exeC:\Users\Admin\AppData\Local\Temp\5CFB.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
C:\Users\Admin\AppData\Local\Temp\6568.exeC:\Users\Admin\AppData\Local\Temp\6568.exe1⤵
- Executes dropped EXE
PID:3964
-
C:\Users\Admin\AppData\Local\Temp\6828.exeC:\Users\Admin\AppData\Local\Temp\6828.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4336
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:4372
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:900
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵PID:5124
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵PID:5564
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵PID:3900
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD53d5af55f794f9a10c5943d2f80dde5c5
SHA15252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA25643e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA5122e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71
-
Filesize
152B
MD53d5af55f794f9a10c5943d2f80dde5c5
SHA15252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA25643e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA5122e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71
-
Filesize
152B
MD53d5af55f794f9a10c5943d2f80dde5c5
SHA15252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA25643e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA5122e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5453bd72fe3f6e36189164571abefed69
SHA10f78de33e2908a74bfbfec2f8b383abd497ceca6
SHA256af4dc76a262722cb046b781e87b8a54388fafc7d58f100b5364fb0b937d9102e
SHA5120342603635d0107cdca3ea732b47de82ed98e4b10d0a6fc0273aedf8a0344849acf9133a7552a09aa63620800bb57ab9f965b35b082ae59ec1ef4274da6bf32c
-
Filesize
6KB
MD5661d619adb93c58f8206b13adeb46869
SHA1cb86addc4efb09907f2857ab62ce4fd662cc77d7
SHA256d6cc181f278ff72640c14ca3e587deb5359dd8b541890743ba7149167f4dc449
SHA51249d1581dd2abfb3137c32a91a8b3ab244a8837c55e0564f760eac3c0f60dffcf288afff1eea495668ccb719f33d50592d66d4725825dcbc3eec14d9e19a71ef6
-
Filesize
24KB
MD510f5b64000466c1e6da25fb5a0115924
SHA1cb253bacf2b087c4040eb3c6a192924234f68639
SHA256d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA5128a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db
-
Filesize
872B
MD522abdb43bc757c6f21d87d6392738053
SHA16b7b2557c0ac63981c0e986180968aaeac7de780
SHA2562881c78a10bc04a2f7dc31ede803a7ce9ed7582cc31a5317bd3077796a154681
SHA512373cd08c45d1bf996bc4b8eb325f8a5ddc1bfe45807d91b9aabcb11379b2d935878646235328b69b11f7092496ebf7b42fd822e43311547922880cbe6e0b1a16
-
Filesize
371B
MD53b397cc27836d705cfd171fbed2968b4
SHA1c34a5d703afa31bfe6503ab7fc55dac39ef31865
SHA256cd2684998f5231142d43060002716994c4b9db8780a7c142968ebfe692969d7e
SHA512cfa247aced34d21dae6c5f26a98167f293fe628cc50aa17255ce5c21da76c520620063bb623cdd092e7b7ad457809e0fb6896cd0b10b035fe9bbf3b887620f69
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53ef2d7df819fb21f77e4f6c63d6048b4
SHA102815782a3b6afe201dd0febb2c42e80c1273a8c
SHA25676ed7cf67870cfa0e7b966092b6d0cc88f8b2474595fc1ed0e48a980028f60af
SHA5129b82fc156de2687ec6e8ba858b3b592ff93371524c6921e8fe6231914cd9135be0605ef9e5c8712ac83d2715db60c15b321410799bf492139cb30d1b643f1ccb
-
Filesize
10KB
MD55bd113b27cf599d1d31e21ddbf0d2a80
SHA1730597d4c3c7530ca902a94076b04fc8c0c0bc07
SHA2560c738e1a5a1362b38c4c62362a107694279a9f6dacdbbf824abcf4562759fbfc
SHA512f7eaabbccaa6543c482226c95195aa634224323bb85154a4e58f3d84de58f10dcc4228027fd723531b86cacfb1ae654f8a1948ba4918aeb578f7c68e55b4981e
-
Filesize
1016KB
MD57aea9c0554d0988a4fff6ac5e6f76458
SHA18ef5d7b8cf26ec9e4321bfbd054061a2b2a765a8
SHA2565f5db827e4b0b622f2570f9d4cabbedfb2b0aab868282eeb5ac9c28276d736b1
SHA5128a5506ff567da8ca497b5c7e5656171bbcd8b1d7ef52782338b9d62d9428dca4cb9cb3d43eee9430f5f4eee369a31132aa2e44feb43f50d7fefbea1b1b5a5e40
-
Filesize
1016KB
MD57aea9c0554d0988a4fff6ac5e6f76458
SHA18ef5d7b8cf26ec9e4321bfbd054061a2b2a765a8
SHA2565f5db827e4b0b622f2570f9d4cabbedfb2b0aab868282eeb5ac9c28276d736b1
SHA5128a5506ff567da8ca497b5c7e5656171bbcd8b1d7ef52782338b9d62d9428dca4cb9cb3d43eee9430f5f4eee369a31132aa2e44feb43f50d7fefbea1b1b5a5e40
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
434KB
MD516028051f2cff284062da8666b55f3be
SHA1ba3f5f9065ecb57c0f1404d5e1751a9512844d1c
SHA25604ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0
SHA512a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8
-
Filesize
434KB
MD516028051f2cff284062da8666b55f3be
SHA1ba3f5f9065ecb57c0f1404d5e1751a9512844d1c
SHA25604ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0
SHA512a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8
-
Filesize
434KB
MD516028051f2cff284062da8666b55f3be
SHA1ba3f5f9065ecb57c0f1404d5e1751a9512844d1c
SHA25604ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0
SHA512a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8
-
Filesize
434KB
MD516028051f2cff284062da8666b55f3be
SHA1ba3f5f9065ecb57c0f1404d5e1751a9512844d1c
SHA25604ec519ce641c6986f15134d8c49fb1ccf21debab72b65e165cc8cb158ba7ec0
SHA512a100c9811c1e9a2e91be476d93569fb4275d218aab6b8688aed882e5d9acf543fc394d08fa2f8fe48a3bb4b89f86881c048891926aa546632980d469950542c8
-
Filesize
4.1MB
MD581e4fc7bd0ee078ccae9523fa5cb17a3
SHA14d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA5124cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
877KB
MD55313a5e74a97d9da5dc1589f2242d6bd
SHA15a6637593af2bbac114b070d2ff5e87fdc16f6c9
SHA25639e3765060e76c654226131298aa099683a7966ece4c9015882e74e5250fe746
SHA5123e9c4f47b383356da779982534974cb35e65a0dee4b5badcde44b24403353b2a76d2b5b102f933ccd944a644c19ed20c7ef9528dc717fd120111b9d4dad4f2d6
-
Filesize
877KB
MD55313a5e74a97d9da5dc1589f2242d6bd
SHA15a6637593af2bbac114b070d2ff5e87fdc16f6c9
SHA25639e3765060e76c654226131298aa099683a7966ece4c9015882e74e5250fe746
SHA5123e9c4f47b383356da779982534974cb35e65a0dee4b5badcde44b24403353b2a76d2b5b102f933ccd944a644c19ed20c7ef9528dc717fd120111b9d4dad4f2d6
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
1017KB
MD5aea9295802325a93458b48558380d54e
SHA1d4d3af7d2f60b649d13ecc81438c5c7046a01bb1
SHA25641b5f4445938b13f2e8da53741af30ecfe3534a529af82e70b40a86d887c6da2
SHA512f7700416267d4e44126be740fc604d998633dcf0e5549fb0750906f35da2be06928a7a1bdb0a5c5d159f13f84c8581739a6f6b81af72c1fbdecea79c9cc23ebe
-
Filesize
1017KB
MD5aea9295802325a93458b48558380d54e
SHA1d4d3af7d2f60b649d13ecc81438c5c7046a01bb1
SHA25641b5f4445938b13f2e8da53741af30ecfe3534a529af82e70b40a86d887c6da2
SHA512f7700416267d4e44126be740fc604d998633dcf0e5549fb0750906f35da2be06928a7a1bdb0a5c5d159f13f84c8581739a6f6b81af72c1fbdecea79c9cc23ebe
-
Filesize
392KB
MD59abdcb200d5e260de238671feff4f379
SHA13e48d28cfeb98ee286bca6bca2a4329809c2887d
SHA256cdedc59b2ced7c6b04bd8804142fdcea65a508e19738af2e513f8a95c3044396
SHA51240ee1abc7088d65b0477cce98ada3275b41922794535085946b5d009fa0a0d6d7bff2e95a5acbb540291e0a1172f47b11ae1df10cc21caeb7c87d14c3c857adf
-
Filesize
392KB
MD59abdcb200d5e260de238671feff4f379
SHA13e48d28cfeb98ee286bca6bca2a4329809c2887d
SHA256cdedc59b2ced7c6b04bd8804142fdcea65a508e19738af2e513f8a95c3044396
SHA51240ee1abc7088d65b0477cce98ada3275b41922794535085946b5d009fa0a0d6d7bff2e95a5acbb540291e0a1172f47b11ae1df10cc21caeb7c87d14c3c857adf
-
Filesize
756KB
MD508abc139032f2fe12cdbd200b32c5164
SHA13ddd6986d1d56a1711f0e2ece58884ce629fd7c0
SHA256dc1054697d8f95aff058a31d57e31b780cd2eb3d0b687bdcae2093ea561fae40
SHA5125a39b21cbd44b1c4edddf9f33482b853432596676f830919b52db2863c80971ac2bcf2c12a4fd3ac97593e1de46d58d1fa392d3043c194354866f98b29d1a301
-
Filesize
756KB
MD508abc139032f2fe12cdbd200b32c5164
SHA13ddd6986d1d56a1711f0e2ece58884ce629fd7c0
SHA256dc1054697d8f95aff058a31d57e31b780cd2eb3d0b687bdcae2093ea561fae40
SHA5125a39b21cbd44b1c4edddf9f33482b853432596676f830919b52db2863c80971ac2bcf2c12a4fd3ac97593e1de46d58d1fa392d3043c194354866f98b29d1a301
-
Filesize
688KB
MD5926b635add3c5f7d4ad2ab8bc356a311
SHA17e49db1a680c2f8da39ef6e3c8935df3b6236999
SHA256d0ab3e8358ff02a4129c4ddbca2895a466a90b09d19e5a78882df9c3bc91ebd6
SHA512a37c6171dfb1e382460d3183ede58353284e1b7af636821677fd078af1038b28f3af43582ba9e427b6ce4371f7f4a18b742aee9f4e3947df145cab178e60d4c4
-
Filesize
688KB
MD5926b635add3c5f7d4ad2ab8bc356a311
SHA17e49db1a680c2f8da39ef6e3c8935df3b6236999
SHA256d0ab3e8358ff02a4129c4ddbca2895a466a90b09d19e5a78882df9c3bc91ebd6
SHA512a37c6171dfb1e382460d3183ede58353284e1b7af636821677fd078af1038b28f3af43582ba9e427b6ce4371f7f4a18b742aee9f4e3947df145cab178e60d4c4
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
573KB
MD5e4c6c50d6aedff783cc282f4e8d90790
SHA1c1bc3bd09cc78e21a5005a9e0222eb20f7dd76c8
SHA256cbcdd1e0214b0d719782e61b02e6ccb283dea28f72b3447db84370f3db55da1b
SHA512c46c56a11e4cf043c060089350dea6c8bafffc878804bc8356c72f5bd176e9c19a47b87ad1057db82df47d70465c862134cd3db0c383e33b78daaaed6312fc73
-
Filesize
573KB
MD5e4c6c50d6aedff783cc282f4e8d90790
SHA1c1bc3bd09cc78e21a5005a9e0222eb20f7dd76c8
SHA256cbcdd1e0214b0d719782e61b02e6ccb283dea28f72b3447db84370f3db55da1b
SHA512c46c56a11e4cf043c060089350dea6c8bafffc878804bc8356c72f5bd176e9c19a47b87ad1057db82df47d70465c862134cd3db0c383e33b78daaaed6312fc73
-
Filesize
514KB
MD5bb2179db24389d64c0698215b7f0a29b
SHA125798c35937815d228ad3e1772ed7a26e58c4607
SHA2560e2b148187781e501ab5d56ae83adf575c643f327f24a3e7ff186516e8072347
SHA512f6ecd53e13da88e3d431e9fbef6793add79ddfd936b853dbb0c048bafcecb83cc2e4d9d124eaf6916ff1a1d61275f048c061ceade9613eb54051b053189007b0
-
Filesize
514KB
MD5bb2179db24389d64c0698215b7f0a29b
SHA125798c35937815d228ad3e1772ed7a26e58c4607
SHA2560e2b148187781e501ab5d56ae83adf575c643f327f24a3e7ff186516e8072347
SHA512f6ecd53e13da88e3d431e9fbef6793add79ddfd936b853dbb0c048bafcecb83cc2e4d9d124eaf6916ff1a1d61275f048c061ceade9613eb54051b053189007b0
-
Filesize
248KB
MD57d20d12f3d7d36bb025b134d239bdef2
SHA10b0e5c4f71153509e283bca5ed98bf499a902cd9
SHA256583e918ef4aa33e955d5a3429b5469585f484604fbbd1009701826043739c04f
SHA512855853436f10e4c92c0c632d4a27ffcf61c22aaa7ecb19cfc9236113623e519bcdf4027dfd350e84a683de2faf6c4da0d20eca5269f16601fdd539808e7703ed
-
Filesize
248KB
MD57d20d12f3d7d36bb025b134d239bdef2
SHA10b0e5c4f71153509e283bca5ed98bf499a902cd9
SHA256583e918ef4aa33e955d5a3429b5469585f484604fbbd1009701826043739c04f
SHA512855853436f10e4c92c0c632d4a27ffcf61c22aaa7ecb19cfc9236113623e519bcdf4027dfd350e84a683de2faf6c4da0d20eca5269f16601fdd539808e7703ed
-
Filesize
341KB
MD58c76945ccd18d349cab0acb10f2bbfff
SHA1633fcb033390581fb851c05fe8104c6616ce5c93
SHA2565c088dc4d6435be6210197c3f3d61a6fd77de767f80fecb90de196b93e8bf6ae
SHA5127e8e5ac7f8fbb710269eaf070a1010f12395c139d3b8a4ebfc920a74144e281e0b3c8842b022c4bce7a08c5ba2bb6fcdd944e98741b12be892ee3631b728d516
-
Filesize
341KB
MD58c76945ccd18d349cab0acb10f2bbfff
SHA1633fcb033390581fb851c05fe8104c6616ce5c93
SHA2565c088dc4d6435be6210197c3f3d61a6fd77de767f80fecb90de196b93e8bf6ae
SHA5127e8e5ac7f8fbb710269eaf070a1010f12395c139d3b8a4ebfc920a74144e281e0b3c8842b022c4bce7a08c5ba2bb6fcdd944e98741b12be892ee3631b728d516
-
Filesize
319KB
MD534a8c968e298e4ce266d7b2ec48f9a23
SHA11f92cd167505ecb653720ddd49a8c1a44ec5ef10
SHA2560cd26f9ed63c6282d5e9e5ad685e7ee5fb7e0c996d60cc26e2178fcd7a3ecfc8
SHA5125781dd5315c796369a64836be31a63a44e46f2e8644fc750c5324bdbcb113bc7906ceaf8719857b8bec78fc66dfe3e2b71455419b9688c27752f8f74a9b693d2
-
Filesize
319KB
MD534a8c968e298e4ce266d7b2ec48f9a23
SHA11f92cd167505ecb653720ddd49a8c1a44ec5ef10
SHA2560cd26f9ed63c6282d5e9e5ad685e7ee5fb7e0c996d60cc26e2178fcd7a3ecfc8
SHA5125781dd5315c796369a64836be31a63a44e46f2e8644fc750c5324bdbcb113bc7906ceaf8719857b8bec78fc66dfe3e2b71455419b9688c27752f8f74a9b693d2
-
Filesize
229KB
MD56737cf5d4192c2c81d007185ea60397d
SHA156d5ebd47a6d5e2535614b8f750cadc15aed0821
SHA256a9641a202d9bb3b71f5012e5ad93bab1f47d650cf7bb20b45ccedbecbcef3d23
SHA5122f3e27139b4df868ee72d0fb46f8ef4a1556fcde579daa2835f0be89876da0ce315ac44496af0109b834b47f9790e78c7d58c75c55f94c4f19a53bd37fefa0ac
-
Filesize
229KB
MD56737cf5d4192c2c81d007185ea60397d
SHA156d5ebd47a6d5e2535614b8f750cadc15aed0821
SHA256a9641a202d9bb3b71f5012e5ad93bab1f47d650cf7bb20b45ccedbecbcef3d23
SHA5122f3e27139b4df868ee72d0fb46f8ef4a1556fcde579daa2835f0be89876da0ce315ac44496af0109b834b47f9790e78c7d58c75c55f94c4f19a53bd37fefa0ac
-
Filesize
358KB
MD594290ce88cbe2d6ead0f01ae2c7f56f7
SHA1734d733bb4be25c77540868d10f83d5e88ccd83f
SHA25634c25c812e7c48efb0f4c42acf96217170c75799bd3a86ace5c3c07a8508a3dc
SHA51221e526944a391181d4d29c81483ffecace208cdb0aa661f9e20f1765dbd516c7e64ffa15e6beefcd65fbef88fafd553f5639312d72db0b9358447ecfcc5c98e4
-
Filesize
358KB
MD594290ce88cbe2d6ead0f01ae2c7f56f7
SHA1734d733bb4be25c77540868d10f83d5e88ccd83f
SHA25634c25c812e7c48efb0f4c42acf96217170c75799bd3a86ace5c3c07a8508a3dc
SHA51221e526944a391181d4d29c81483ffecace208cdb0aa661f9e20f1765dbd516c7e64ffa15e6beefcd65fbef88fafd553f5639312d72db0b9358447ecfcc5c98e4
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
222KB
MD50df006de2f6f07bdc61cc44453af4d77
SHA188e2ad6ed6e7f5a281c4cdc56d2f9a50438b33b1
SHA256f87a3d513f323a929716a900df70b0536a1b5bc87e0039dd6038811c4cc9668e
SHA512740807b59efe91c4926124c3d424943bada2d8203871cdb2ecab9b5d70d84df8b6142d9fc5aa9f859b29b313657f648fb5da6efa76112023dca400e956d95978
-
Filesize
222KB
MD50df006de2f6f07bdc61cc44453af4d77
SHA188e2ad6ed6e7f5a281c4cdc56d2f9a50438b33b1
SHA256f87a3d513f323a929716a900df70b0536a1b5bc87e0039dd6038811c4cc9668e
SHA512740807b59efe91c4926124c3d424943bada2d8203871cdb2ecab9b5d70d84df8b6142d9fc5aa9f859b29b313657f648fb5da6efa76112023dca400e956d95978
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
Filesize
273B
MD50c459e65bcc6d38574f0c0d63a87088a
SHA141e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d
-
Filesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
Filesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e