Analysis
-
max time kernel
100s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2023, 10:22
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
855KB
-
MD5
5cb427bd9a314cd00354c7fde949e9ac
-
SHA1
3b7b84fbe2bc577ee1d572e5bb49413219b91a33
-
SHA256
db2d5629df8d990ffb67b0573563b53fcaa3676c21cc164053f4abce40cfa8ae
-
SHA512
6893649fe49c0b964c5743cc1b2f0aa67c5e0db44ba7e39597e2148f3e5552aa951f2caf8baf2dbf3934ee32a669dd5e42e390b219af8f14629bf739ea103076
-
SSDEEP
24576:jy208IwOOAr5a1fmEVjtL68OlUNmNmwrnwyMR6N:220FOArA1fbHHqUbWnwJ6
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
breha
77.91.124.55:19071
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe 1152 schtasks.exe 4968 schtasks.exe 5044 schtasks.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 514C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 514C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 514C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 514C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 514C.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 17 IoCs
resource yara_rule behavioral2/files/0x000600000002327a-52.dat family_redline behavioral2/files/0x000600000002327a-53.dat family_redline behavioral2/memory/3920-54-0x0000000000170000-0x00000000001AE000-memory.dmp family_redline behavioral2/files/0x0007000000023288-99.dat family_redline behavioral2/files/0x0007000000023288-100.dat family_redline behavioral2/files/0x0007000000023288-94.dat family_redline behavioral2/files/0x0007000000023297-145.dat family_redline behavioral2/files/0x000400000001e6e1-152.dat family_redline behavioral2/files/0x000400000001e6e1-153.dat family_redline behavioral2/memory/860-169-0x0000000000BF0000-0x0000000000C0E000-memory.dmp family_redline behavioral2/memory/60-166-0x0000000000170000-0x00000000001CA000-memory.dmp family_redline behavioral2/memory/4436-179-0x00000000020C0000-0x000000000211A000-memory.dmp family_redline behavioral2/files/0x0006000000023292-194.dat family_redline behavioral2/files/0x0006000000023292-198.dat family_redline behavioral2/memory/2288-202-0x0000000000C50000-0x0000000000C8E000-memory.dmp family_redline behavioral2/files/0x0007000000023297-165.dat family_redline behavioral2/memory/2132-214-0x00000000006F0000-0x000000000072E000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
resource yara_rule behavioral2/files/0x0007000000023297-145.dat family_sectoprat behavioral2/memory/860-169-0x0000000000BF0000-0x0000000000C0E000-memory.dmp family_sectoprat behavioral2/memory/60-178-0x0000000007230000-0x0000000007240000-memory.dmp family_sectoprat behavioral2/files/0x0007000000023297-165.dat family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 5608 created 3124 5608 latestX.exe 50 PID 5608 created 3124 5608 latestX.exe 50 PID 5608 created 3124 5608 latestX.exe 50 PID 5608 created 3124 5608 latestX.exe 50 PID 5608 created 3124 5608 latestX.exe 50 -
Blocklisted process makes network request 2 IoCs
flow pid Process 99 1152 cmd.exe 104 1152 cmd.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2628 netsh.exe -
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 21 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1952-124-0x0000000002480000-0x00000000024A0000-memory.dmp net_reactor behavioral2/memory/1952-131-0x0000000002540000-0x000000000255E000-memory.dmp net_reactor behavioral2/memory/1952-135-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-133-0x0000000004BA0000-0x0000000004BB0000-memory.dmp net_reactor behavioral2/memory/1952-140-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-144-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-147-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-155-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-160-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-168-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-182-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-186-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-192-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-197-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-177-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-200-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-206-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-204-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-173-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/1952-164-0x0000000002540000-0x0000000002558000-memory.dmp net_reactor behavioral2/memory/2288-305-0x00000000079C0000-0x00000000079D0000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 83BC.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation 5227.exe -
Executes dropped EXE 36 IoCs
pid Process 4864 OT2If21.exe 232 oL5RR46.exe 3136 rD0hz63.exe 2656 ka4yh75.exe 3244 1gi83ps6.exe 4640 2oB5870.exe 3100 3sO37sU.exe 3920 4ql522dO.exe 2580 4D7F.exe 2568 4E4B.exe 3188 xN8VP0Pk.exe 2700 PO0GY9Kh.exe 3864 5051.exe 4372 nR7Ki5xF.exe 1952 514C.exe 1384 xa9dg5Dd.exe 2140 1dx01lH8.exe 2704 5227.exe 4436 548A.exe 860 5556.exe 60 568F.exe 4588 explothe.exe 2288 2MM263Ua.exe 4700 6045.exe 5064 83BC.exe 1152 8BBC.exe 4108 9A63.exe 796 9E3C.exe 5192 toolspub2.exe 5312 31839b57a4f11171d6abc8bbc4451ee4.exe 5608 latestX.exe 5664 toolspub2.exe 1160 explothe.exe 5704 31839b57a4f11171d6abc8bbc4451ee4.exe 2432 csrss.exe 1112 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 632 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1gi83ps6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 514C.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1gi83ps6.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" PO0GY9Kh.exe Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ka4yh75.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" 4D7F.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" xN8VP0Pk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" xa9dg5Dd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\9A63.exe'\"" 9A63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" OT2If21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" oL5RR46.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" rD0hz63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" nR7Ki5xF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4700 set thread context of 2132 4700 6045.exe 121 PID 5192 set thread context of 5664 5192 toolspub2.exe 152 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4620 sc.exe 5328 sc.exe 396 sc.exe 6060 sc.exe 6000 sc.exe 6112 sc.exe 5628 sc.exe 5944 sc.exe 2248 sc.exe 5220 sc.exe 2692 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO37sU.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO37sU.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO37sU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1152 schtasks.exe 4968 schtasks.exe 5044 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3244 1gi83ps6.exe 3244 1gi83ps6.exe 3100 3sO37sU.exe 3100 3sO37sU.exe 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE 3124 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3124 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3100 3sO37sU.exe 5664 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3244 1gi83ps6.exe Token: SeDebugPrivilege 1952 514C.exe Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeDebugPrivilege 860 5556.exe Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeDebugPrivilege 60 568F.exe Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE Token: SeShutdownPrivilege 3124 Explorer.EXE Token: SeCreatePagefilePrivilege 3124 Explorer.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe 1524 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4764 wrote to memory of 4864 4764 file.exe 82 PID 4764 wrote to memory of 4864 4764 file.exe 82 PID 4764 wrote to memory of 4864 4764 file.exe 82 PID 4864 wrote to memory of 232 4864 OT2If21.exe 83 PID 4864 wrote to memory of 232 4864 OT2If21.exe 83 PID 4864 wrote to memory of 232 4864 OT2If21.exe 83 PID 232 wrote to memory of 3136 232 oL5RR46.exe 84 PID 232 wrote to memory of 3136 232 oL5RR46.exe 84 PID 232 wrote to memory of 3136 232 oL5RR46.exe 84 PID 3136 wrote to memory of 2656 3136 rD0hz63.exe 85 PID 3136 wrote to memory of 2656 3136 rD0hz63.exe 85 PID 3136 wrote to memory of 2656 3136 rD0hz63.exe 85 PID 2656 wrote to memory of 3244 2656 ka4yh75.exe 86 PID 2656 wrote to memory of 3244 2656 ka4yh75.exe 86 PID 2656 wrote to memory of 3244 2656 ka4yh75.exe 86 PID 2656 wrote to memory of 4640 2656 ka4yh75.exe 88 PID 2656 wrote to memory of 4640 2656 ka4yh75.exe 88 PID 2656 wrote to memory of 4640 2656 ka4yh75.exe 88 PID 3136 wrote to memory of 3100 3136 rD0hz63.exe 89 PID 3136 wrote to memory of 3100 3136 rD0hz63.exe 89 PID 3136 wrote to memory of 3100 3136 rD0hz63.exe 89 PID 232 wrote to memory of 3920 232 oL5RR46.exe 90 PID 232 wrote to memory of 3920 232 oL5RR46.exe 90 PID 232 wrote to memory of 3920 232 oL5RR46.exe 90 PID 3124 wrote to memory of 2580 3124 Explorer.EXE 93 PID 3124 wrote to memory of 2580 3124 Explorer.EXE 93 PID 3124 wrote to memory of 2580 3124 Explorer.EXE 93 PID 3124 wrote to memory of 2568 3124 Explorer.EXE 94 PID 3124 wrote to memory of 2568 3124 Explorer.EXE 94 PID 3124 wrote to memory of 2568 3124 Explorer.EXE 94 PID 2580 wrote to memory of 3188 2580 4D7F.exe 95 PID 2580 wrote to memory of 3188 2580 4D7F.exe 95 PID 2580 wrote to memory of 3188 2580 4D7F.exe 95 PID 3124 wrote to memory of 3648 3124 Explorer.EXE 96 PID 3124 wrote to memory of 3648 3124 Explorer.EXE 96 PID 3188 wrote to memory of 2700 3188 xN8VP0Pk.exe 98 PID 3188 wrote to memory of 2700 3188 xN8VP0Pk.exe 98 PID 3188 wrote to memory of 2700 3188 xN8VP0Pk.exe 98 PID 3124 wrote to memory of 3864 3124 Explorer.EXE 99 PID 3124 wrote to memory of 3864 3124 Explorer.EXE 99 PID 3124 wrote to memory of 3864 3124 Explorer.EXE 99 PID 2700 wrote to memory of 4372 2700 PO0GY9Kh.exe 100 PID 2700 wrote to memory of 4372 2700 PO0GY9Kh.exe 100 PID 2700 wrote to memory of 4372 2700 PO0GY9Kh.exe 100 PID 3124 wrote to memory of 1952 3124 Explorer.EXE 101 PID 3124 wrote to memory of 1952 3124 Explorer.EXE 101 PID 3124 wrote to memory of 1952 3124 Explorer.EXE 101 PID 4372 wrote to memory of 1384 4372 nR7Ki5xF.exe 102 PID 4372 wrote to memory of 1384 4372 nR7Ki5xF.exe 102 PID 4372 wrote to memory of 1384 4372 nR7Ki5xF.exe 102 PID 1384 wrote to memory of 2140 1384 xa9dg5Dd.exe 103 PID 1384 wrote to memory of 2140 1384 xa9dg5Dd.exe 103 PID 1384 wrote to memory of 2140 1384 xa9dg5Dd.exe 103 PID 3124 wrote to memory of 2704 3124 Explorer.EXE 104 PID 3124 wrote to memory of 2704 3124 Explorer.EXE 104 PID 3124 wrote to memory of 2704 3124 Explorer.EXE 104 PID 3124 wrote to memory of 4436 3124 Explorer.EXE 105 PID 3124 wrote to memory of 4436 3124 Explorer.EXE 105 PID 3124 wrote to memory of 4436 3124 Explorer.EXE 105 PID 3124 wrote to memory of 860 3124 Explorer.EXE 107 PID 3124 wrote to memory of 860 3124 Explorer.EXE 107 PID 3124 wrote to memory of 860 3124 Explorer.EXE 107 PID 3124 wrote to memory of 60 3124 Explorer.EXE 109 PID 3124 wrote to memory of 60 3124 Explorer.EXE 109 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OT2If21.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\oL5RR46.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rD0hz63.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ka4yh75.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gi83ps6.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2oB5870.exe7⤵
- Executes dropped EXE
PID:4640
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3sO37sU.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3100
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ql522dO.exe5⤵
- Executes dropped EXE
PID:3920
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4D7F.exeC:\Users\Admin\AppData\Local\Temp\4D7F.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xN8VP0Pk.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\PO0GY9Kh.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\nR7Ki5xF.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exeC:\Users\Admin\AppData\Local\Temp\IXP006.TMP\xa9dg5Dd.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exeC:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1dx01lH8.exe7⤵
- Executes dropped EXE
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exeC:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2MM263Ua.exe7⤵
- Executes dropped EXE
PID:2288
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4E4B.exeC:\Users\Admin\AppData\Local\Temp\4E4B.exe2⤵
- Executes dropped EXE
PID:2568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F56.bat" "2⤵PID:3648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:34⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:84⤵PID:3968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:14⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:24⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:14⤵PID:844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:14⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:14⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:14⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:14⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:14⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:14⤵PID:5732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:14⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,7643038011990742187,8569689097933109085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:14⤵PID:5904
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:5056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e47184⤵PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,4084226594957414341,16671510639444320544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:34⤵PID:4560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5051.exeC:\Users\Admin\AppData\Local\Temp\5051.exe2⤵
- Executes dropped EXE
PID:3864
-
-
C:\Users\Admin\AppData\Local\Temp\514C.exeC:\Users\Admin\AppData\Local\Temp\514C.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\5227.exeC:\Users\Admin\AppData\Local\Temp\5227.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1152
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵PID:1048
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4284
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:4708
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:6136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:5268
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:5272
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:3824
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\548A.exeC:\Users\Admin\AppData\Local\Temp\548A.exe2⤵
- Executes dropped EXE
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=548A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:1392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=548A.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:5432
-
-
-
C:\Users\Admin\AppData\Local\Temp\5556.exeC:\Users\Admin\AppData\Local\Temp\5556.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Users\Admin\AppData\Local\Temp\568F.exeC:\Users\Admin\AppData\Local\Temp\568F.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\6045.exeC:\Users\Admin\AppData\Local\Temp\6045.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\83BC.exeC:\Users\Admin\AppData\Local\Temp\83BC.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5664
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:5312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5684
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3852
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:4176
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2628
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5108
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Modifies data under HKEY_USERS
PID:3656
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:4968
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:4960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵PID:3060
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5044
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵PID:2704
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5964
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:6000
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:5608
-
-
-
C:\Users\Admin\AppData\Local\Temp\8BBC.exeC:\Users\Admin\AppData\Local\Temp\8BBC.exe2⤵
- Executes dropped EXE
PID:1152
-
-
C:\Users\Admin\AppData\Local\Temp\9A63.exeC:\Users\Admin\AppData\Local\Temp\9A63.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4108
-
-
C:\Users\Admin\AppData\Local\Temp\9E3C.exeC:\Users\Admin\AppData\Local\Temp\9E3C.exe2⤵
- Executes dropped EXE
PID:796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4936
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1164
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:6112
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5628
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:5944
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2248
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Blocklisted process makes network request
PID:1152 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5848
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5868
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3268
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3332
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:3504
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:5532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4312
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3036
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4620
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5328
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5220
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:396
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:6060
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1324
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4080
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5836
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5904
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4936
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:5020
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:5716
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e47181⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e47181⤵PID:2364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa059e46f8,0x7ffa059e4708,0x7ffa059e47181⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:1160
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:5272
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Executes dropped EXE
PID:1112
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵PID:6044
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
152B
MD54d25fc6e43a16159ebfd161f28e16ef7
SHA149941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1
-
Filesize
6KB
MD5d4842e6b6d6291a38625cfaad4cdfc8c
SHA152012794224ac62ebe7935da348aae09e24828bd
SHA256193c7e83dbf4e6e896677009df2637b157b75f39b0c832bbea050bf5bd401bc5
SHA512d54e50c6b87b102ba64fc4d42f904e37b349dfc77b53d2ef7da90d2c9f82dea7d15319a8428f0e413c517d5081f0d5a134c1a6e04dbc54548e13c29758e12553
-
Filesize
5KB
MD53af151bb6b62375e1879cddca2c676f2
SHA1a3ac4516798834d7db0010adf3d1633e693c91db
SHA2565a5ba8240911b265864fd09a23043132b9d7e669fdf3e27e77cc98339469a765
SHA512430bcff4e2b2e2e9fde7764ba6f0d87c65db79ee943a7babe24eae57c262c07df1884603e697b1f3172dc2c76f2e84a8b1a8bde3053082e5830c3f5f50782f32
-
Filesize
24KB
MD5d555d038867542dfb2fb0575a0d3174e
SHA11a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f
-
Filesize
2KB
MD534d2ddcc485e09422987ab4773546596
SHA1ff076124ed2267a1f60a0f730dd50e68a62cb9e0
SHA256d2d75c71f6a35fb82349b1b10512efc612e9ba8eb23cb9563cb7b76ec734fa08
SHA512dbae5e1b4b895a5844dfbbf7d6ad1d5d178809e35ce97d792a417416334be87a5e57b4b13f6c0df924f5c47851adffaecac1b689a73cb303316579962da934ee
-
Filesize
10KB
MD545e0fd964935f8e3e1c2155e830b146c
SHA165383605b3ac81812e1a754b0e7caf423294830f
SHA256ff0f4a66c9656b89aebed494934bbe6c2195797860700ff2cc7ebdef67676a46
SHA512f4b480b5f27f99cc6d177b3b13eb470a8bfc58c127ffb0ec479825cadfccfe6d14194d258a65845ce79a67c687e78ae0e8bd1d3f9baa743ceb4d70c5a4ad3b79
-
Filesize
4.1MB
MD50bce2fed456a72a2486b1d17621c88d6
SHA14cbff382f76920526ec0bc81a05bfd372dd88229
SHA25609d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA51274c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4
-
Filesize
1016KB
MD5e830704145aa2ea00d0642863e4dee2c
SHA194fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA2566f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA5121f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0
-
Filesize
1016KB
MD5e830704145aa2ea00d0642863e4dee2c
SHA194fd8da90f6f7d6b8a408e19f1fab6512bfb706a
SHA2566f76e615a91c1764b24c01d8df58c943da66c608616ab1fd0920d7e56257da90
SHA5121f3138cedbabece3ed1ee26a7887f6383b2a1e1560c95c94af3bc186238f55585ffa650e75a56c5e0dfc8562de5e677bd92136c2ca0e2d03ad37176cdb4d2fc0
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
728KB
MD560d075f42035b2177a8fa6cdd957016c
SHA1004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA25604c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA5127808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2
-
Filesize
728KB
MD560d075f42035b2177a8fa6cdd957016c
SHA1004ba7ec6f5a37e396c46cc116d90e017c4ed375
SHA25604c0de269aba327fb85433a6aeb4c08acaee010ba623529cf947001983401fea
SHA5127808c94923ad3ddc108d55ca4fe3d31a527da0689916110924f059bf44db268751f9847b1b66d0f394cd47d3ab927dc45c2c59071d74432847f4b7a8c9255ed2
-
Filesize
545KB
MD5419382a23412a6a7a353d1526218f494
SHA13b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA25689b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af
-
Filesize
545KB
MD5419382a23412a6a7a353d1526218f494
SHA13b00f0c094c4d1410fae0e972a148eeb31ba351d
SHA25689b3dfadce9df0c66f8a1f2b7cec682037dd354129413aa0b30e319c3cfa6a34
SHA512988ec0c0add6af232e116971abb749bca543fd4b1aa04f4352f335d1b5fb3b5971253afb6cf56397d4efab7574caece3d68a409e25dd846df354f0d7944361af
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
371KB
MD5b94e82d67bac5db54f03ab1328670106
SHA10180a21589c450665b065227f90e65909fe4e4fc
SHA25690ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA51246ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b
-
Filesize
371KB
MD5b94e82d67bac5db54f03ab1328670106
SHA10180a21589c450665b065227f90e65909fe4e4fc
SHA25690ebb26463931285839854d7d3329136a4c7df37cfbf208ea391d61b37f1c2e8
SHA51246ec8c0a65214f246020510596c2e1bb2ac236eb30845bbbcd9b3e5a8448e8bb8554464b8efa7d0ce30cb74cb542916ab7483efdafae325e33a39a296824b50b
-
Filesize
30KB
MD535a15fad3767597b01a20d75c3c6889a
SHA1eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA25690ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577
-
Filesize
30KB
MD535a15fad3767597b01a20d75c3c6889a
SHA1eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA25690ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577
-
Filesize
246KB
MD5983cab65e427a23305d0d799164045b1
SHA164eecacc76d7cb027da9e513da7af619f91b3961
SHA256fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA5121e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e
-
Filesize
246KB
MD5983cab65e427a23305d0d799164045b1
SHA164eecacc76d7cb027da9e513da7af619f91b3961
SHA256fb1e3bb687f7f123eb052e5daa58607be6ac5b59b5264e012d054137a0934099
SHA5121e88a2b8f3030191fc403b962b0fe0860ae898100e7d493675f8cd1756941331c3320085406b7da84bc7b620b608c2d268b2aab4b0c90f683af9ff77eb15527e
-
Filesize
878KB
MD5ff199c12213a50c5fa15a13c5aaa4b59
SHA13015a225ceb8a8a7b89450650f87b95d4dff767b
SHA25636fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37
-
Filesize
878KB
MD5ff199c12213a50c5fa15a13c5aaa4b59
SHA13015a225ceb8a8a7b89450650f87b95d4dff767b
SHA25636fe08aba1af0f6ea77bfc79dde59714b952c760dcee21870285e74d3c9dbb2f
SHA512df1dd6f0749ac096cb1cd14d9c182858fab087b12e3cb7b5681503b537c9f5a5bdd4587e1171f858301a5555033d47d1a4b8f8d4ce3410a8a7b2a6cb540dde37
-
Filesize
11KB
MD522b50c95b39cbbdb00d5a4cd3d4886bd
SHA1db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac
-
Filesize
11KB
MD522b50c95b39cbbdb00d5a4cd3d4886bd
SHA1db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
689KB
MD55d1eb76849c7bffe2b14e254c8ff3f07
SHA1247d8a80df3dcadf2af777721362859a7e11b576
SHA256995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab
-
Filesize
689KB
MD55d1eb76849c7bffe2b14e254c8ff3f07
SHA1247d8a80df3dcadf2af777721362859a7e11b576
SHA256995ebe2e477e43a5bf211559a2b866eb063cc19ceea4dc64cc726f687098b3c9
SHA512aff79ace75e725fc897fc9e66547563713456bdbd0fbddb11f1705481328c048f909e0518ebc8ef2243734afd4b092ad20ee69dba3302f97d37c6bc4625e52ab
-
Filesize
514KB
MD57e8c7490ff1fa36b377ce2beae28d6b6
SHA1051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA2567bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1
-
Filesize
514KB
MD57e8c7490ff1fa36b377ce2beae28d6b6
SHA1051c7fa3eb4b5459e1340fb459a3282dba90c7bc
SHA2567bd4327a70dab4d763ff5bb177b5da1c27e33e007950f148b7a1e55d08f9248d
SHA512e6c64ac0f3e488b0a65ce873be56fefee720e1b999ef960eb18a771ece9577d87ddb700d0a4d760377b5828266423d20e3518a8b3edc2848593a706de01f5ab1
-
Filesize
319KB
MD55afe8f59a4e41e151cd8cecbe6ef0b65
SHA152aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a
-
Filesize
319KB
MD55afe8f59a4e41e151cd8cecbe6ef0b65
SHA152aefba202fd89db5cb39a1093c0e03c7ed05485
SHA256b133defb1f52dda8aa51fe02b1c4c5f13d8c08182df2900af07e8a08c3602653
SHA512ec46c86cf9659aa9e449156efe51d255afa458f96fcd314466f3a0b51cdd8f309faf6e724740fbf794365646e6c39a879dca36c129e89e915a85e974aafd174a
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
223KB
MD59c09addd66419cd6c464d75796f88410
SHA11511ea6a4f123d6c45fa5084da0889271b029c0e
SHA256edd97e10e9184c98a0a2cde8fea8a05ef7c3549d76ee6419a67780dd5cbf3d07
SHA5126cf8caa3a73ae77e4ab6019f92a1a86553e2ac9a4dd32837606185a6ff98167cd6addc3337c8c53d96bc7040a998822384eeccbd5427af4071eb4770311e6797
-
Filesize
223KB
MD59c09addd66419cd6c464d75796f88410
SHA11511ea6a4f123d6c45fa5084da0889271b029c0e
SHA256edd97e10e9184c98a0a2cde8fea8a05ef7c3549d76ee6419a67780dd5cbf3d07
SHA5126cf8caa3a73ae77e4ab6019f92a1a86553e2ac9a4dd32837606185a6ff98167cd6addc3337c8c53d96bc7040a998822384eeccbd5427af4071eb4770311e6797
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9