Analysis
-
max time kernel
120s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2023, 17:10
Static task
static1
Behavioral task
behavioral1
Sample
7c95e5d57f635ca970b10a8df879b8ba.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
7c95e5d57f635ca970b10a8df879b8ba.exe
Resource
win10v2004-20230915-en
General
-
Target
7c95e5d57f635ca970b10a8df879b8ba.exe
-
Size
230KB
-
MD5
7c95e5d57f635ca970b10a8df879b8ba
-
SHA1
4cf916479053a57749a28f9bdea0e2d683504bc0
-
SHA256
85d9e05afbe86c05e9eba2dbaaf03fe38c20cb1555a5e60414c6794ad06c4062
-
SHA512
a5be7a4a31ae0af0d8b36a40b099e93924d2c248f1c6aa04cb9646d813063e59503c86b4fe6fbc6af578adeee1c77d05dfceba6e99504733c6a077fe59272ca9
-
SSDEEP
6144:Xm8X4FIRd5DzznuBosiDKl51eAOnr0ecrkxaTi:XlIKd5DPyeupTi
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Extracted
redline
motion
168.119.126.250:19180
Extracted
redline
kukish
77.91.124.55:19071
Extracted
amadey
3.83
http://5.42.65.80/8bmeVwqx/index.php
-
install_dir
207aa4515d
-
install_file
oneetx.exe
-
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 5600 schtasks.exe 3808 schtasks.exe 5448 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8CE6.exe'\"" 8CE6.exe 768 schtasks.exe -
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/1308-441-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/1308-553-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2036-633-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/2036-693-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4600-755-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4600-775-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4600-794-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba behavioral2/memory/4600-807-0x0000000000400000-0x0000000002FB8000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
resource yara_rule behavioral2/files/0x0008000000023206-82.dat family_redline behavioral2/files/0x0008000000023206-86.dat family_redline behavioral2/memory/4216-88-0x0000000002070000-0x00000000020CA000-memory.dmp family_redline behavioral2/files/0x000700000002320a-90.dat family_redline behavioral2/files/0x000700000002320a-94.dat family_redline behavioral2/memory/4268-144-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/3428-185-0x00000000005B0000-0x00000000005EE000-memory.dmp family_redline behavioral2/memory/3896-199-0x0000000000D60000-0x0000000000D7E000-memory.dmp family_redline behavioral2/memory/4732-211-0x0000000000250000-0x00000000002AA000-memory.dmp family_redline behavioral2/files/0x0007000000023229-228.dat family_redline behavioral2/files/0x0007000000023229-229.dat family_redline behavioral2/memory/1832-248-0x0000000000320000-0x000000000035E000-memory.dmp family_redline behavioral2/files/0x0006000000023220-340.dat family_redline behavioral2/memory/1668-350-0x0000000000E50000-0x0000000000E8E000-memory.dmp family_redline behavioral2/files/0x0006000000023220-338.dat family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral2/files/0x0008000000023206-82.dat family_sectoprat behavioral2/files/0x0008000000023206-86.dat family_sectoprat behavioral2/memory/3896-199-0x0000000000D60000-0x0000000000D7E000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4588 netsh.exe -
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/8-232-0x0000000002400000-0x0000000002420000-memory.dmp net_reactor behavioral2/memory/8-271-0x0000000004AD0000-0x0000000004AEE000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 495D.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation 7535.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation oldplayer.exe -
Executes dropped EXE 29 IoCs
pid Process 2788 3870.exe 4992 414B.exe 3176 4719.exe 8 4814.exe 2228 495D.exe 4216 4E60.exe 3896 513F.exe 1676 lr1co6Cv.exe 4732 52F5.exe 4868 hd6uB7QV.exe 5028 pM9kN1ZX.exe 1488 58A4.exe 1228 Ar4Fw0MJ.exe 3496 1zc82ld4.exe 3700 7535.exe 2080 8718.exe 4968 8CE6.exe 1832 916B.exe 932 9803.exe 4952 explothe.exe 1668 2Ya739IV.exe 1308 31839b57a4f11171d6abc8bbc4451ee4.exe 2044 oldplayer.exe 5468 oneetx.exe 2036 31839b57a4f11171d6abc8bbc4451ee4.exe 3692 explothe.exe 4204 tucrbij 4960 oneetx.exe 4600 csrss.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2268-792-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral2/memory/4428-805-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8CE6.exe'\"" 8CE6.exe Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3870.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" lr1co6Cv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" hd6uB7QV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" pM9kN1ZX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Ar4Fw0MJ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1708 set thread context of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 4992 set thread context of 2044 4992 414B.exe 125 PID 3176 set thread context of 4268 3176 4719.exe 126 PID 1488 set thread context of 3428 1488 58A4.exe 130 PID 3496 set thread context of 912 3496 1zc82ld4.exe 140 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6080 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4828 912 WerFault.exe 140 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3808 schtasks.exe 5448 schtasks.exe 768 schtasks.exe 5600 schtasks.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4416 AppLaunch.exe 4416 AppLaunch.exe 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4416 AppLaunch.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 2044 oldplayer.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe 1556 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3180 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 1708 wrote to memory of 4416 1708 7c95e5d57f635ca970b10a8df879b8ba.exe 84 PID 3180 wrote to memory of 2788 3180 Process not Found 94 PID 3180 wrote to memory of 2788 3180 Process not Found 94 PID 3180 wrote to memory of 2788 3180 Process not Found 94 PID 3180 wrote to memory of 4992 3180 Process not Found 95 PID 3180 wrote to memory of 4992 3180 Process not Found 95 PID 3180 wrote to memory of 4992 3180 Process not Found 95 PID 3180 wrote to memory of 456 3180 Process not Found 97 PID 3180 wrote to memory of 456 3180 Process not Found 97 PID 3180 wrote to memory of 3176 3180 Process not Found 99 PID 3180 wrote to memory of 3176 3180 Process not Found 99 PID 3180 wrote to memory of 3176 3180 Process not Found 99 PID 3180 wrote to memory of 8 3180 Process not Found 101 PID 3180 wrote to memory of 8 3180 Process not Found 101 PID 3180 wrote to memory of 8 3180 Process not Found 101 PID 456 wrote to memory of 1764 456 cmd.exe 102 PID 456 wrote to memory of 1764 456 cmd.exe 102 PID 3180 wrote to memory of 2228 3180 Process not Found 103 PID 3180 wrote to memory of 2228 3180 Process not Found 103 PID 3180 wrote to memory of 2228 3180 Process not Found 103 PID 3180 wrote to memory of 4216 3180 Process not Found 105 PID 3180 wrote to memory of 4216 3180 Process not Found 105 PID 3180 wrote to memory of 4216 3180 Process not Found 105 PID 3180 wrote to memory of 3896 3180 Process not Found 107 PID 3180 wrote to memory of 3896 3180 Process not Found 107 PID 3180 wrote to memory of 3896 3180 Process not Found 107 PID 2788 wrote to memory of 1676 2788 3870.exe 109 PID 2788 wrote to memory of 1676 2788 3870.exe 109 PID 2788 wrote to memory of 1676 2788 3870.exe 109 PID 3180 wrote to memory of 4732 3180 Process not Found 110 PID 3180 wrote to memory of 4732 3180 Process not Found 110 PID 3180 wrote to memory of 4732 3180 Process not Found 110 PID 456 wrote to memory of 1808 456 cmd.exe 111 PID 456 wrote to memory of 1808 456 cmd.exe 111 PID 1808 wrote to memory of 3840 1808 msedge.exe 114 PID 1808 wrote to memory of 3840 1808 msedge.exe 114 PID 1676 wrote to memory of 4868 1676 lr1co6Cv.exe 113 PID 1676 wrote to memory of 4868 1676 lr1co6Cv.exe 113 PID 1676 wrote to memory of 4868 1676 lr1co6Cv.exe 113 PID 1764 wrote to memory of 5052 1764 msedge.exe 112 PID 1764 wrote to memory of 5052 1764 msedge.exe 112 PID 4868 wrote to memory of 5028 4868 hd6uB7QV.exe 115 PID 4868 wrote to memory of 5028 4868 hd6uB7QV.exe 115 PID 4868 wrote to memory of 5028 4868 hd6uB7QV.exe 115 PID 4992 wrote to memory of 2252 4992 414B.exe 116 PID 4992 wrote to memory of 2252 4992 414B.exe 116 PID 4992 wrote to memory of 2252 4992 414B.exe 116 PID 3180 wrote to memory of 1488 3180 Process not Found 117 PID 3180 wrote to memory of 1488 3180 Process not Found 117 PID 3180 wrote to memory of 1488 3180 Process not Found 117 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 PID 1808 wrote to memory of 4316 1808 msedge.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c95e5d57f635ca970b10a8df879b8ba.exe"C:\Users\Admin\AppData\Local\Temp\7c95e5d57f635ca970b10a8df879b8ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4416
-
-
C:\Users\Admin\AppData\Local\Temp\3870.exeC:\Users\Admin\AppData\Local\Temp\3870.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr1co6Cv.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr1co6Cv.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hd6uB7QV.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hd6uB7QV.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pM9kN1ZX.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pM9kN1ZX.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ar4Fw0MJ.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ar4Fw0MJ.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zc82ld4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1zc82ld4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 5408⤵
- Program crash
PID:4828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ya739IV.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Ya739IV.exe6⤵
- Executes dropped EXE
PID:1668
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\414B.exeC:\Users\Admin\AppData\Local\Temp\414B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2252
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4524.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffbd97c46f8,0x7ffbd97c4708,0x7ffbd97c47183⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5826076629078940385,13602180858953233799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵PID:2692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5826076629078940385,13602180858953233799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:33⤵PID:2292
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd97c46f8,0x7ffbd97c4708,0x7ffbd97c47183⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:33⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:23⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:13⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:13⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:13⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:13⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:13⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15436819811598096019,2979060250833897794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:13⤵PID:5312
-
-
-
C:\Users\Admin\AppData\Local\Temp\4719.exeC:\Users\Admin\AppData\Local\Temp\4719.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3176 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4268
-
-
C:\Users\Admin\AppData\Local\Temp\4814.exeC:\Users\Admin\AppData\Local\Temp\4814.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Users\Admin\AppData\Local\Temp\495D.exeC:\Users\Admin\AppData\Local\Temp\495D.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
PID:768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit3⤵PID:224
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:5540
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"4⤵PID:5552
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E4⤵PID:5868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:5900
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"4⤵PID:5932
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E4⤵PID:5988
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵PID:5108
-
-
-
C:\Users\Admin\AppData\Local\Temp\4E60.exeC:\Users\Admin\AppData\Local\Temp\4E60.exe1⤵
- Executes dropped EXE
PID:4216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4E60.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵PID:2000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd97c46f8,0x7ffbd97c4708,0x7ffbd97c47183⤵PID:5628
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4E60.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffbd97c46f8,0x7ffbd97c4708,0x7ffbd97c47183⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:23⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:83⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:13⤵PID:2556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:13⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:83⤵PID:5968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:83⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:13⤵PID:4576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:13⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12223259817563182734,13991013856096378741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:13⤵PID:5848
-
-
-
C:\Users\Admin\AppData\Local\Temp\513F.exeC:\Users\Admin\AppData\Local\Temp\513F.exe1⤵
- Executes dropped EXE
PID:3896
-
C:\Users\Admin\AppData\Local\Temp\52F5.exeC:\Users\Admin\AppData\Local\Temp\52F5.exe1⤵
- Executes dropped EXE
PID:4732
-
C:\Users\Admin\AppData\Local\Temp\58A4.exeC:\Users\Admin\AppData\Local\Temp\58A4.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1488 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:3428
-
-
C:\Users\Admin\AppData\Local\Temp\7535.exeC:\Users\Admin\AppData\Local\Temp\7535.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:5468 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:5600
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit4⤵PID:5784
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:5908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5892
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:5968
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5996
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:N"5⤵PID:6012
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\207aa4515d" /P "Admin:R" /E5⤵PID:6044
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5192
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:4160
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:4588
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3192
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5260
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4104
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:3808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:5900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
PID:4120
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:5724
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:5448
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:5456
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:6080
-
-
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3708
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1076
-
C:\Users\Admin\AppData\Local\Temp\8718.exeC:\Users\Admin\AppData\Local\Temp\8718.exe1⤵
- Executes dropped EXE
PID:2080
-
C:\Users\Admin\AppData\Local\Temp\8CE6.exeC:\Users\Admin\AppData\Local\Temp\8CE6.exe1⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
PID:4968
-
C:\Users\Admin\AppData\Local\Temp\916B.exeC:\Users\Admin\AppData\Local\Temp\916B.exe1⤵
- Executes dropped EXE
PID:1832
-
C:\Users\Admin\AppData\Local\Temp\9803.exeC:\Users\Admin\AppData\Local\Temp\9803.exe1⤵
- Executes dropped EXE
PID:932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 912 -ip 9121⤵PID:4920
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:3692
-
C:\Users\Admin\AppData\Roaming\tucrbijC:\Users\Admin\AppData\Roaming\tucrbij1⤵
- Executes dropped EXE
PID:4204
-
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exeC:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe1⤵
- Executes dropped EXE
PID:4960
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4428
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵PID:2964
-
C:\Users\Admin\AppData\Roaming\tucrbijC:\Users\Admin\AppData\Roaming\tucrbij1⤵PID:5936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD56351be8b63227413881e5dfb033459cc
SHA1f24489be1e693dc22d6aac7edd692833c623d502
SHA256e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA51266e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD516c2a9f4b2e1386aab0e353614a63f0d
SHA16edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA2560f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06
-
Filesize
152B
MD5e203500de24f55c758d73841a82f9f19
SHA1e0c4880d86356b80b4239450d99f336cc77e07b4
SHA2569d47690912b8864f956723d122c4eaa26fd75b5732df96181d41e622b4c40e27
SHA512a683290c9c58120abc48668e13e62e198e26eba09e3dd917ea04864742abaa8cf573a9765dc94aa04bbfc726979122bee43d544cd404977d7923b615ad0e04fb
-
Filesize
152B
MD513971bc59989b016beed4d0b4fad65bb
SHA1127a044cb5113b139e36e287fe7910e25c1d0b7d
SHA2562d0e9bff6856b566f2966430ecc6f849920199803f9efb63faaf8ee5135c82b6
SHA51207de5c65841e5215cb6ad51bd4f688be417527d7fa99574938f63a553a0308132d973b3c5ac600cf157ae546b72896bf9ae88b58d0c97b54e574661820964281
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize936B
MD55f44c3c7865da25dfa4aab3363640068
SHA1324638c20953a3a7e46bb604ddf4b6e53b0ba693
SHA256f6b20408722e7abe99ac9c27a0c8619a8d0624452850d6e652845447624456c5
SHA512d1879666cc2edf62fd4125a8293b26c2df4a69bccfede71a5090703cd4d3272e18c4021b9c3347a381f333598d91c7091b21175d91c81ffee85031cb7fa3fcd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5940b8.TMP
Filesize840B
MD5237d2105cb8a62c875aab15f5965bc2e
SHA11455a42b919a42a93d42c4226fd7dc7335466acc
SHA25604dd3b2d490f9a36d2bf0ad7eb9cfcc35b3471b78d6df2076ec321c225f409e2
SHA5121d45372513bbb0519c9798e8bcee02d7f183679c194c3a7319773df75e9118d1552e8c6c580f11dc6e03fd067bc6f4c6ea2eb09c41167e1cc7763028b9875d26
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
268B
MD5e0c32170e0b9d1adcd719c99d4657a9b
SHA1fe41f67ac662bb44eba6b649912242a590281c42
SHA2564814019e9178b288e334328b0703109ff98194c243d79d99b6518e537579ade4
SHA512be15082a268ad82986dcc998135c5430ab0c1f6b2e3957d5235693d6f88265fb63a7072d4a9ba5447728a08e57c4c6f1207d34630d2bb520d341ae0e84cf881a
-
Filesize
5KB
MD5e6fbd971f6c4b117f385995ff5d03d32
SHA1500819f833d2c6d0028410d50f128cd4abb9f615
SHA2562fb2d007fa3e7d75761390529517df8255ea5da4352baa648d628930ed07bb08
SHA512fcf04367cf919fe7b4668907cc469ac15c5b8c556644f6e5ded8e71d787a687dca39dd1a94d5bca2b45ea267c0a87ba0342c575d2a6228d9ea9591af25435e85
-
Filesize
6KB
MD542c15382e2dba3e35af922c0183ea756
SHA1aa0c5ac6af50e377e6516cafac42808bf043a2f5
SHA2567536803634c6824af09c85a16208f2a356f71bf70d0ac8819bb6f6846426e5d7
SHA51208cbaae0052a59458dfd63f27358247bd639720f477c783f2394b817e3dfa0e96781b86013cc4482fc6f6c4777ebaf3261f72e4055ed2f5b59363cd85d226c6a
-
Filesize
5KB
MD551ee6bfee553fc8f64aed4c1dd87e30f
SHA1570b2f433cfd38115719e0c82d52ce6580942712
SHA2564210b2d278c7816bdb059cfb0e0e33776d343bc861903c590d674f6323386cf4
SHA512e0ca805fc2e3b138066cd0e91a3737904d1bc60f00ed48b496efa170cc4e3977e0e7ec26e69a12e2cde5a3a83f95bce2a3adf8280a1896ce5014888cb4c16b4e
-
Filesize
5KB
MD555a2b5bd474af683373c5c5b07e3ee1b
SHA126773a4cd9719eb951d9775cc62166ea2c0f3cd8
SHA2567549aa6d3916725c31796dad935a46556ee5904b046a92280a481f694ef9c54e
SHA5128a70091cf6a57e20f10d1d3768bf73648221807bb8f5ab20232eed0bafab04ced659f2cd5001024596716597c315a772d9766a18a4d63cb6ead61c2efdfef85e
-
Filesize
6KB
MD5b6efbe9ab2973006fc7bd4764e23d21c
SHA1a1211ff7e480dc23cbb9a78525f68a78b74d6160
SHA25633f966deb54773ae84958ea25fddeb33348c4c1d9edfa2685837c25ab290eb52
SHA512be2893efa0d0f64b3fe747460011b1830586fb32c20f14b5e1d69a125caaac26abf9bc27d20a03ff3668e0da6f6b4987452e510d76b908ea319e74d2714abcf2
-
Filesize
24KB
MD5699e3636ed7444d9b47772e4446ccfc1
SHA1db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA2569205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51
-
Filesize
371B
MD54bf7648b88d12209a839a7ef39daf75c
SHA1640f2208252ba5ee2171913c88a8bfb683c97026
SHA2567af5a647ff19a05ac4aec8712e952680fb078a7f9b90457ab45362defefb9c50
SHA512b8ac317827b3bc27fc2bfc8d2bd398a553c4826899737657e50a0453822fc1b0b3dedd48b508553b9ba6d55ad81f97a30a98c2a31ce4d312fb540321817a314e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD57afbdf5950b74846b253b0e08d4856be
SHA1dfbe1bde43cd9fce3b847869c7b6847be90f55a9
SHA256368f3dc51c2fd9faaef972d444519d8eb6bd22df3101db8f02066457ed14f318
SHA512fa11d5bc8dcbac56f27233cf27fb64b4d0179da1441b054e94a8c87f20a550f650a7ea6ba54c2ad75a10c08a368c71179edf64e30ea7d4f972d2f2dc34016122
-
Filesize
2KB
MD57afbdf5950b74846b253b0e08d4856be
SHA1dfbe1bde43cd9fce3b847869c7b6847be90f55a9
SHA256368f3dc51c2fd9faaef972d444519d8eb6bd22df3101db8f02066457ed14f318
SHA512fa11d5bc8dcbac56f27233cf27fb64b4d0179da1441b054e94a8c87f20a550f650a7ea6ba54c2ad75a10c08a368c71179edf64e30ea7d4f972d2f2dc34016122
-
Filesize
10KB
MD5259b58832bb80ab0c3fa48d894ceb821
SHA12f01a7662ea722c791cc636781a47c8cf3503252
SHA2560fefce31a7d2cfafc946048c4b317a5adbd77528d8b1ef249ba4036584128fe3
SHA512f90001287f4eaa42c31445b94e963b544d8dce87e60209d8b87b147450ec436d11da8109ec8842cb43e2aa53fcc8ecbb474fc6c91fa8f5d1ba7f6c582af10d7c
-
Filesize
11KB
MD5371561c0ae99d5d802bb4eb3597f1991
SHA1f9c06a26561f9b476cb2496559d48dc241382ccf
SHA2562337d9e746aa6ff29027a2af2d28a420b7ec67ee8e46d23c464c00f293fdce4c
SHA5127b48bc578f81455b2ecfdbad50bf3b34fd893a8aec7c42b2e30dc0723f95917310df6331bd56b1634134b17660f1a2712fab1cfcdc0b9d861a3b5a3c51536105
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
4.1MB
MD581e4fc7bd0ee078ccae9523fa5cb17a3
SHA14d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA5124cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22
-
Filesize
4.1MB
MD581e4fc7bd0ee078ccae9523fa5cb17a3
SHA14d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA5124cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22
-
Filesize
4.1MB
MD581e4fc7bd0ee078ccae9523fa5cb17a3
SHA14d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA5124cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22
-
Filesize
1.2MB
MD58d9e6bcd744c094ecdce6cb8ccb4aba7
SHA1ee8c0c015811702f3bd636a737ee5ddfa15ef4fb
SHA2565b246c80c0b41ce6aed9f6a5b51a973edb309b36addfb9a71c5a4fecbb4f4f70
SHA512d1a26b1e9841c4e7ca42c03ab731549020377ba060e50291df61c4bf6c5054a290fae6c56a56560a7b5e6187f200839c91738a53327044322de70ede31492c82
-
Filesize
1.2MB
MD58d9e6bcd744c094ecdce6cb8ccb4aba7
SHA1ee8c0c015811702f3bd636a737ee5ddfa15ef4fb
SHA2565b246c80c0b41ce6aed9f6a5b51a973edb309b36addfb9a71c5a4fecbb4f4f70
SHA512d1a26b1e9841c4e7ca42c03ab731549020377ba060e50291df61c4bf6c5054a290fae6c56a56560a7b5e6187f200839c91738a53327044322de70ede31492c82
-
Filesize
380KB
MD5e5b53434ac8cd22063167afd5e92ba67
SHA107f6d4b199ca1fa60a040e021233f749cd11ac3e
SHA256c58cc49be4ec775cb9d7b139428ae1ba9b1c90939309e5fef8643f5155c85eb1
SHA5124feb75facc21ad457edaf1cf80bc4106b7f02275bb90a5b04a346570a4dc009c1379300430f0a53ccad3688bbbfd0e1c31ed105e88e5f4d8867f15861164a76d
-
Filesize
380KB
MD5e5b53434ac8cd22063167afd5e92ba67
SHA107f6d4b199ca1fa60a040e021233f749cd11ac3e
SHA256c58cc49be4ec775cb9d7b139428ae1ba9b1c90939309e5fef8643f5155c85eb1
SHA5124feb75facc21ad457edaf1cf80bc4106b7f02275bb90a5b04a346570a4dc009c1379300430f0a53ccad3688bbbfd0e1c31ed105e88e5f4d8867f15861164a76d
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
421KB
MD53e4e15569b0cf2e52d51fb5e900b0af3
SHA190295d9f8cd9b556c6fcd9b18efa4d65589599c8
SHA2567018573f1ed508b0661d4d77dc2f9c88d4986b3f9c40275c6ed6d8f6ae38d63c
SHA51281b1472a58c74866beea0a4249b9a47d093a693174ed450684ee21e39c558c65daacfffeeffae45c769097b391158f26a6c1814c7d5639dd62798822e00559c3
-
Filesize
421KB
MD53e4e15569b0cf2e52d51fb5e900b0af3
SHA190295d9f8cd9b556c6fcd9b18efa4d65589599c8
SHA2567018573f1ed508b0661d4d77dc2f9c88d4986b3f9c40275c6ed6d8f6ae38d63c
SHA51281b1472a58c74866beea0a4249b9a47d093a693174ed450684ee21e39c558c65daacfffeeffae45c769097b391158f26a6c1814c7d5639dd62798822e00559c3
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
4.3MB
MD55678c3a93dafcd5ba94fd33528c62276
SHA18cdd901481b7080e85b6c25c18226a005edfdb74
SHA2562d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7
-
Filesize
4.3MB
MD55678c3a93dafcd5ba94fd33528c62276
SHA18cdd901481b7080e85b6c25c18226a005edfdb74
SHA2562d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
221KB
MD5329092a869c5a6ad11691da35921b5c5
SHA13974f88f74fcad7f20a92b17ff181a01ad3ec1c6
SHA25654be7f543a50e77aa94c242860999d1cebce6bb3f7db2419b1c76143cb0191e6
SHA51215ca79ea1cf11830202b5ab21288cf9039b4389b451374073a5abc9a2f94b0022bc40bbe7d9c184c02cba149fab2651471f0f4c2cb42c19e70d7d92359483038
-
Filesize
221KB
MD5329092a869c5a6ad11691da35921b5c5
SHA13974f88f74fcad7f20a92b17ff181a01ad3ec1c6
SHA25654be7f543a50e77aa94c242860999d1cebce6bb3f7db2419b1c76143cb0191e6
SHA51215ca79ea1cf11830202b5ab21288cf9039b4389b451374073a5abc9a2f94b0022bc40bbe7d9c184c02cba149fab2651471f0f4c2cb42c19e70d7d92359483038
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
1.1MB
MD5e860b2d02737456da222f55b1a2c7e8a
SHA1367d15a0a73c1bf3bb82a91558531f116744702f
SHA256b0d835b93fcc45f75dc79139cb53e60dd0b525a2aa2206dc0c9987804845e567
SHA5126b5e06e80a1abc8c109eebbd4dda783377d3110bf8f61e957cea1dc2f65b739da536acaecf51e0d6483775b984dc625845882fe8f73a480f49227195e82b3447
-
Filesize
1.1MB
MD5e860b2d02737456da222f55b1a2c7e8a
SHA1367d15a0a73c1bf3bb82a91558531f116744702f
SHA256b0d835b93fcc45f75dc79139cb53e60dd0b525a2aa2206dc0c9987804845e567
SHA5126b5e06e80a1abc8c109eebbd4dda783377d3110bf8f61e957cea1dc2f65b739da536acaecf51e0d6483775b984dc625845882fe8f73a480f49227195e82b3447
-
Filesize
900KB
MD509e0bd749609ca221f512600bb5b0b5e
SHA135545e8814037b6580f37610daa00841acc0b056
SHA256f55a1b7cba8b5c027b90ef62c6f3c8851363c1a4b13c43b23e7ac7c64dfb0b4b
SHA512b96027f56d954d1ca820d871ca2c61d6d2f336e6bd3a5482ef7abab3759cf9b0f6ba68359a6f6d0ec1beaf0cad22f2271b386c106750bf5c95be012289622e95
-
Filesize
900KB
MD509e0bd749609ca221f512600bb5b0b5e
SHA135545e8814037b6580f37610daa00841acc0b056
SHA256f55a1b7cba8b5c027b90ef62c6f3c8851363c1a4b13c43b23e7ac7c64dfb0b4b
SHA512b96027f56d954d1ca820d871ca2c61d6d2f336e6bd3a5482ef7abab3759cf9b0f6ba68359a6f6d0ec1beaf0cad22f2271b386c106750bf5c95be012289622e95
-
Filesize
622KB
MD5e5e166bf3fa5e819ff5f4df8373a1f21
SHA1ecb0b7e9422f8a877e1762950fa02aefdb6a26fb
SHA2566adca395ebb0589ecef0b8cf3398ff0d3fbef7e1495648158550fe26b16fcc34
SHA512337b9d64f49e037fb803bc63552088a4742b1ce3209422e2d1c66a04f52f8bf3d85784f0978614e2fa88819dae5bd09ac22d8f16061ab4f791356969995caeb2
-
Filesize
622KB
MD5e5e166bf3fa5e819ff5f4df8373a1f21
SHA1ecb0b7e9422f8a877e1762950fa02aefdb6a26fb
SHA2566adca395ebb0589ecef0b8cf3398ff0d3fbef7e1495648158550fe26b16fcc34
SHA512337b9d64f49e037fb803bc63552088a4742b1ce3209422e2d1c66a04f52f8bf3d85784f0978614e2fa88819dae5bd09ac22d8f16061ab4f791356969995caeb2
-
Filesize
426KB
MD5c3445f4117dd9dca4c41aa1e6133b6a9
SHA1f12510ef142db1fd9415dc33f501773d3918f1c6
SHA2562b63b7e5fa80a5f9d768ce9d2edf6f5148a6a0151ab7f10d358c122751381d43
SHA512460b337ec3f2862a43be0b2872aa29a3a999ebf33523ffc0d70b0b1ec23bb2a162c38d0061a7d4d529acd77b0100eb89f83162cf979b81db077e4cfb49e8235c
-
Filesize
426KB
MD5c3445f4117dd9dca4c41aa1e6133b6a9
SHA1f12510ef142db1fd9415dc33f501773d3918f1c6
SHA2562b63b7e5fa80a5f9d768ce9d2edf6f5148a6a0151ab7f10d358c122751381d43
SHA512460b337ec3f2862a43be0b2872aa29a3a999ebf33523ffc0d70b0b1ec23bb2a162c38d0061a7d4d529acd77b0100eb89f83162cf979b81db077e4cfb49e8235c
-
Filesize
380KB
MD5632cc447bc085e3cc747f3929f375738
SHA14ce31b154d1821ae80ae89c62251e56a12042d90
SHA25610194ae1dd29a2480373b73027502df6391828885c69a9c1b2ddd46d3decd8e4
SHA5124bc6fc7143367b8d45ea81058b471c3247e984c06d89aa4e6dc6a664e42dfca2ef07f68e100aeeb81f1bea5e4e2f8245d0b3592c96f40c31db6506baae9cb2d2
-
Filesize
380KB
MD5632cc447bc085e3cc747f3929f375738
SHA14ce31b154d1821ae80ae89c62251e56a12042d90
SHA25610194ae1dd29a2480373b73027502df6391828885c69a9c1b2ddd46d3decd8e4
SHA5124bc6fc7143367b8d45ea81058b471c3247e984c06d89aa4e6dc6a664e42dfca2ef07f68e100aeeb81f1bea5e4e2f8245d0b3592c96f40c31db6506baae9cb2d2
-
Filesize
223KB
MD579773862f03d044aa5c7881b07cdace3
SHA139adf4570c325e35c42e75101748e96aa8caac34
SHA2568dbd4b364844ae2360afbf8defc5cf2ac21e64936edf55708b8f61b3c7d808a5
SHA5129828692595a6a6aa63b9785d43811c0511e4a010a0916380507a77a1165a6c1d1040a8160363c16f0a5efb80d6dbfe6df8caed07622a78af12af9697b0d2a557
-
Filesize
223KB
MD579773862f03d044aa5c7881b07cdace3
SHA139adf4570c325e35c42e75101748e96aa8caac34
SHA2568dbd4b364844ae2360afbf8defc5cf2ac21e64936edf55708b8f61b3c7d808a5
SHA5129828692595a6a6aa63b9785d43811c0511e4a010a0916380507a77a1165a6c1d1040a8160363c16f0a5efb80d6dbfe6df8caed07622a78af12af9697b0d2a557
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
198KB
MD5a64a886a695ed5fb9273e73241fec2f7
SHA1363244ca05027c5beb938562df5b525a2428b405
SHA256563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9