Analysis
-
max time kernel
119s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2023, 13:52
Static task
static1
Behavioral task
behavioral1
Sample
18cb64a6705bb82fc1d95dc7bbf9c020.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
18cb64a6705bb82fc1d95dc7bbf9c020.exe
Resource
win10v2004-20230915-en
General
-
Target
18cb64a6705bb82fc1d95dc7bbf9c020.exe
-
Size
148KB
-
MD5
18cb64a6705bb82fc1d95dc7bbf9c020
-
SHA1
5d11bc01a2c85c2268bcf225e57deefcfa036f42
-
SHA256
40a0bd36b9cb9ad8c3b6ffc377e35d89425633c1f899f2039993e283669fef32
-
SHA512
f7780bc4a7106b7dec05f63f9999ab066110ed6c28d09d6b3d7ee9b5ecfc1a5d1ecd00b9915f231e0c9318288b8ab3200c578acb5d4b7d8ac56cb44ccb09d2ee
-
SSDEEP
3072:UWPJqJsU12HlWCnUewNzrQuUUpBt2973rC9fma9AlkbmDDPoJ:fJqJsICnU9Q8t9dmXPoJ
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
breha
77.91.124.55:19071
Extracted
redline
kukish
77.91.124.55:19071
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe 4392 schtasks.exe 5316 schtasks.exe 5900 schtasks.exe -
Glupteba payload 8 IoCs
resource yara_rule behavioral2/memory/444-354-0x0000000002F40000-0x000000000382B000-memory.dmp family_glupteba behavioral2/memory/444-359-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/444-429-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/444-481-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/444-555-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5400-580-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5400-705-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/1160-720-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection EA06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" EA06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" EA06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" EA06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" EA06.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" EA06.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 13 IoCs
resource yara_rule behavioral2/files/0x0007000000023263-49.dat family_redline behavioral2/files/0x0007000000023263-51.dat family_redline behavioral2/files/0x0006000000023266-62.dat family_redline behavioral2/files/0x0006000000023266-61.dat family_redline behavioral2/memory/3904-73-0x0000000000BA0000-0x0000000000BDE000-memory.dmp family_redline behavioral2/memory/3696-74-0x0000000000D50000-0x0000000000D8E000-memory.dmp family_redline behavioral2/files/0x000500000001db8d-97.dat family_redline behavioral2/files/0x000500000001db8e-108.dat family_redline behavioral2/files/0x000500000001db8e-110.dat family_redline behavioral2/memory/2228-113-0x00000000008A0000-0x00000000008FA000-memory.dmp family_redline behavioral2/memory/468-136-0x0000000000700000-0x000000000075A000-memory.dmp family_redline behavioral2/memory/2496-116-0x0000000000B80000-0x0000000000B9E000-memory.dmp family_redline behavioral2/files/0x000500000001db8d-115.dat family_redline -
SectopRAT payload 4 IoCs
resource yara_rule behavioral2/files/0x000500000001db8d-97.dat family_sectoprat behavioral2/memory/2228-129-0x0000000007620000-0x0000000007630000-memory.dmp family_sectoprat behavioral2/memory/2496-116-0x0000000000B80000-0x0000000000B9E000-memory.dmp family_sectoprat behavioral2/files/0x000500000001db8d-115.dat family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 5664 created 3172 5664 latestX.exe 55 PID 5664 created 3172 5664 latestX.exe 55 PID 5664 created 3172 5664 latestX.exe 55 PID 5664 created 3172 5664 latestX.exe 55 PID 5664 created 3172 5664 latestX.exe 55 PID 5384 created 3172 5384 updater.exe 55 PID 5384 created 3172 5384 updater.exe 55 PID 5384 created 3172 5384 updater.exe 55 PID 5384 created 3172 5384 updater.exe 55 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 4864 netsh.exe -
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 19 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/3212-75-0x00000000021B0000-0x00000000021D0000-memory.dmp net_reactor behavioral2/memory/3212-81-0x0000000002220000-0x000000000223E000-memory.dmp net_reactor behavioral2/memory/3212-92-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-103-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-95-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-105-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-117-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-127-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-132-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-138-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-122-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-111-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-144-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-147-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-154-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-157-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-160-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-163-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor behavioral2/memory/3212-165-0x0000000002220000-0x0000000002238000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation EAB3.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation 22B0.exe -
Executes dropped EXE 32 IoCs
pid Process 1724 E5AD.exe 4636 E6B7.exe 2576 Gr2hm8zp.exe 1936 Ed3wn2xf.exe 3396 nu7Xc1Qq.exe 4008 RK5OL8oK.exe 3696 E90B.exe 2956 1dQ56Ol6.exe 3904 2mi256Fu.exe 3212 EA06.exe 3364 EAB3.exe 468 EDD1.exe 2496 EF0A.exe 4792 explothe.exe 2228 F0C1.exe 2492 F834.exe 1832 22B0.exe 1268 285E.exe 544 292A.exe 4408 3282.exe 3068 toolspub2.exe 444 31839b57a4f11171d6abc8bbc4451ee4.exe 5564 toolspub2.exe 5664 latestX.exe 5884 explothe.exe 5400 31839b57a4f11171d6abc8bbc4451ee4.exe 1160 csrss.exe 5384 updater.exe 5368 injector.exe 2456 windefender.exe 3736 windefender.exe 916 explothe.exe -
Loads dropped DLL 1 IoCs
pid Process 6076 rundll32.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" EA06.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features EA06.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" E5AD.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Gr2hm8zp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ed3wn2xf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nu7Xc1Qq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" RK5OL8oK.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\292A.exe'\"" 292A.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 824 set thread context of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 3068 set thread context of 5564 3068 toolspub2.exe 157 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5468 sc.exe 472 sc.exe 3564 sc.exe 840 sc.exe 5896 sc.exe 380 sc.exe 4392 sc.exe 1516 sc.exe 3476 sc.exe 2876 sc.exe 4940 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3800 824 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4392 schtasks.exe 5316 schtasks.exe 5900 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4116 AppLaunch.exe 4116 AppLaunch.exe 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE 3172 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3172 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4116 AppLaunch.exe 5564 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3212 EA06.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 2496 EF0A.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeDebugPrivilege 2228 F0C1.exe Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE Token: SeCreatePagefilePrivilege 3172 Explorer.EXE Token: SeShutdownPrivilege 3172 Explorer.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3172 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 824 wrote to memory of 4116 824 18cb64a6705bb82fc1d95dc7bbf9c020.exe 87 PID 3172 wrote to memory of 1724 3172 Explorer.EXE 96 PID 3172 wrote to memory of 1724 3172 Explorer.EXE 96 PID 3172 wrote to memory of 1724 3172 Explorer.EXE 96 PID 3172 wrote to memory of 4636 3172 Explorer.EXE 97 PID 3172 wrote to memory of 4636 3172 Explorer.EXE 97 PID 3172 wrote to memory of 4636 3172 Explorer.EXE 97 PID 1724 wrote to memory of 2576 1724 E5AD.exe 98 PID 1724 wrote to memory of 2576 1724 E5AD.exe 98 PID 1724 wrote to memory of 2576 1724 E5AD.exe 98 PID 2576 wrote to memory of 1936 2576 Gr2hm8zp.exe 99 PID 2576 wrote to memory of 1936 2576 Gr2hm8zp.exe 99 PID 2576 wrote to memory of 1936 2576 Gr2hm8zp.exe 99 PID 1936 wrote to memory of 3396 1936 Ed3wn2xf.exe 100 PID 1936 wrote to memory of 3396 1936 Ed3wn2xf.exe 100 PID 1936 wrote to memory of 3396 1936 Ed3wn2xf.exe 100 PID 3172 wrote to memory of 2936 3172 Explorer.EXE 101 PID 3172 wrote to memory of 2936 3172 Explorer.EXE 101 PID 3172 wrote to memory of 3696 3172 Explorer.EXE 103 PID 3172 wrote to memory of 3696 3172 Explorer.EXE 103 PID 3172 wrote to memory of 3696 3172 Explorer.EXE 103 PID 3396 wrote to memory of 4008 3396 nu7Xc1Qq.exe 104 PID 3396 wrote to memory of 4008 3396 nu7Xc1Qq.exe 104 PID 3396 wrote to memory of 4008 3396 nu7Xc1Qq.exe 104 PID 4008 wrote to memory of 2956 4008 RK5OL8oK.exe 105 PID 4008 wrote to memory of 2956 4008 RK5OL8oK.exe 105 PID 4008 wrote to memory of 2956 4008 RK5OL8oK.exe 105 PID 4008 wrote to memory of 3904 4008 RK5OL8oK.exe 106 PID 4008 wrote to memory of 3904 4008 RK5OL8oK.exe 106 PID 4008 wrote to memory of 3904 4008 RK5OL8oK.exe 106 PID 3172 wrote to memory of 3212 3172 Explorer.EXE 107 PID 3172 wrote to memory of 3212 3172 Explorer.EXE 107 PID 3172 wrote to memory of 3212 3172 Explorer.EXE 107 PID 3172 wrote to memory of 3364 3172 Explorer.EXE 108 PID 3172 wrote to memory of 3364 3172 Explorer.EXE 108 PID 3172 wrote to memory of 3364 3172 Explorer.EXE 108 PID 2936 wrote to memory of 1368 2936 cmd.exe 111 PID 2936 wrote to memory of 1368 2936 cmd.exe 111 PID 3172 wrote to memory of 468 3172 Explorer.EXE 110 PID 3172 wrote to memory of 468 3172 Explorer.EXE 110 PID 3172 wrote to memory of 468 3172 Explorer.EXE 110 PID 3172 wrote to memory of 2496 3172 Explorer.EXE 113 PID 3172 wrote to memory of 2496 3172 Explorer.EXE 113 PID 3172 wrote to memory of 2496 3172 Explorer.EXE 113 PID 3364 wrote to memory of 4792 3364 EAB3.exe 114 PID 3364 wrote to memory of 4792 3364 EAB3.exe 114 PID 3364 wrote to memory of 4792 3364 EAB3.exe 114 PID 3172 wrote to memory of 2228 3172 Explorer.EXE 116 PID 3172 wrote to memory of 2228 3172 Explorer.EXE 116 PID 3172 wrote to memory of 2228 3172 Explorer.EXE 116 PID 1368 wrote to memory of 4448 1368 msedge.exe 117 PID 1368 wrote to memory of 4448 1368 msedge.exe 117 PID 3172 wrote to memory of 2492 3172 Explorer.EXE 118 PID 3172 wrote to memory of 2492 3172 Explorer.EXE 118 PID 3172 wrote to memory of 2492 3172 Explorer.EXE 118 PID 4792 wrote to memory of 4392 4792 explothe.exe 122 PID 4792 wrote to memory of 4392 4792 explothe.exe 122 PID 4792 wrote to memory of 4392 4792 explothe.exe 122 PID 4792 wrote to memory of 2584 4792 explothe.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\18cb64a6705bb82fc1d95dc7bbf9c020.exe"C:\Users\Admin\AppData\Local\Temp\18cb64a6705bb82fc1d95dc7bbf9c020.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 2963⤵
- Program crash
PID:3800
-
-
-
C:\Users\Admin\AppData\Local\Temp\E5AD.exeC:\Users\Admin\AppData\Local\Temp\E5AD.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gr2hm8zp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ed3wn2xf.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nu7Xc1Qq.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\RK5OL8oK.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dQ56Ol6.exe7⤵
- Executes dropped EXE
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mi256Fu.exe7⤵
- Executes dropped EXE
PID:3904
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E6B7.exeC:\Users\Admin\AppData\Local\Temp\E6B7.exe2⤵
- Executes dropped EXE
PID:4636
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E7C2.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff9333d46f8,0x7ff9333d4708,0x7ff9333d47184⤵PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:24⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:34⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:84⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:14⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:14⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:14⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:84⤵PID:228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:84⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:14⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:14⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:14⤵PID:5148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:14⤵PID:5140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:14⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:14⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16765038933789164313,16962189603449218242,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:14⤵PID:6136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:3688
-
-
-
C:\Users\Admin\AppData\Local\Temp\E90B.exeC:\Users\Admin\AppData\Local\Temp\E90B.exe2⤵
- Executes dropped EXE
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\EA06.exeC:\Users\Admin\AppData\Local\Temp\EA06.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\EAB3.exeC:\Users\Admin\AppData\Local\Temp\EAB3.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:4392
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵PID:2584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2792
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:1236
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:4248
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:880
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:444
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:4724
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:6076
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EDD1.exeC:\Users\Admin\AppData\Local\Temp\EDD1.exe2⤵
- Executes dropped EXE
PID:468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=EDD1.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9333d46f8,0x7ff9333d4708,0x7ff9333d47184⤵PID:1884
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=EDD1.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:5908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9333d46f8,0x7ff9333d4708,0x7ff9333d47184⤵PID:5924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EF0A.exeC:\Users\Admin\AppData\Local\Temp\EF0A.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\F0C1.exeC:\Users\Admin\AppData\Local\Temp\F0C1.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\F834.exeC:\Users\Admin\AppData\Local\Temp\F834.exe2⤵
- Executes dropped EXE
PID:2492
-
-
C:\Users\Admin\AppData\Local\Temp\22B0.exeC:\Users\Admin\AppData\Local\Temp\22B0.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5564
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5940
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5188
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5928
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:4864
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1408
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5924
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:1160 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:60
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5316
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5740
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:5628
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:5368
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5900
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5968
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:3476
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵PID:5936
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:5664
-
-
-
C:\Users\Admin\AppData\Local\Temp\285E.exeC:\Users\Admin\AppData\Local\Temp\285E.exe2⤵
- Executes dropped EXE
PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\292A.exeC:\Users\Admin\AppData\Local\Temp\292A.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\3282.exeC:\Users\Admin\AppData\Local\Temp\3282.exe2⤵
- Executes dropped EXE
PID:4408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4188
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:5144
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:5468
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5896
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:380
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4392
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1516
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:1068
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1572
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2308
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5576
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1888
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:5636
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1408
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1880
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:472
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2876
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3564
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:840
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4940
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3336
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:552
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5440
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5092
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:6124
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Modifies data under HKEY_USERS
PID:5228
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:5284
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:6044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 824 -ip 8241⤵PID:820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9333d46f8,0x7ff9333d4708,0x7ff9333d47181⤵PID:4780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4132
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5884
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
PID:5384
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:3736
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:916
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5edf9e91891d4c235ea4e8bb489540ccd
SHA16ce54fa3f3f55d065a49675f4d6d5dd996dee260
SHA2568bc26a163d74edf9cb6f7c8ad45e9b4a3d74d75443186aa7bcb83951acf9f6a0
SHA512aed50d1d5a16218c8f1d15cdbf1cb8c7b97be693635b8492c4558019c27b20d992921d19dbb9be8854bd65feba20f4f86b2d87d5c9d57f1971740652395d2e98
-
Filesize
6KB
MD5735228202e7f975f7eb0554b42947903
SHA1fde2a260aac99dc27a72bfaa9c5c86a25fdea9b1
SHA256437e656aa958384d0734598f2dc2acc797011fea258fc18c14bd15f7884c0e99
SHA512f247eb1776cda91e29d1da0a2c39020671f354d17eea4431015bb03487aa273fddf934b5ffaacf89a035b5ba5444a1359600cce603aba82ae3c1fa8ec14b84a7
-
Filesize
6KB
MD51b0ea5905143384ec536c35c6a2508c0
SHA139107d0cddec96e41eb795da50769dedcc665177
SHA256dfae1eb7d761a95a71112f0be0b9edf251aca11042aa6e6a0af50cb48dfae196
SHA5129c0ff0f438b2da02580a5f6a7b51f7e7f77a0b0611f0bc31fc59999ad47890c7ada6e9aa6c407cf69068fb951cc30250fd332e06b4343f68b712c4fbd8f5f120
-
Filesize
24KB
MD54a078fb8a7c67594a6c2aa724e2ac684
SHA192bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54259741d18709377356d29591b4dc36e
SHA1fdeceeff45e86b56378071036df01464d8ef5657
SHA25626e7a79d3d199e75630889447be52d3abc2b94b9c242b6b798f5c9fb16da6456
SHA512af142e4964169dfe9ff28dedd3c9d2057430d4edfd8bf47c9e6f968c57f88a06e5d9197ca7751a735a2717af681ec0734a7d975bc11cfc49a5f565a93b2d833a
-
Filesize
10KB
MD54259741d18709377356d29591b4dc36e
SHA1fdeceeff45e86b56378071036df01464d8ef5657
SHA25626e7a79d3d199e75630889447be52d3abc2b94b9c242b6b798f5c9fb16da6456
SHA512af142e4964169dfe9ff28dedd3c9d2057430d4edfd8bf47c9e6f968c57f88a06e5d9197ca7751a735a2717af681ec0734a7d975bc11cfc49a5f565a93b2d833a
-
Filesize
10KB
MD50f691726acfea8b19deffad38105ac0a
SHA11d2a3c43076e271b8466edc8e8bbed8a33812d31
SHA256318aec95e22ec38c2176d8288d9eae2cf4bda1570222bd5e9234e820742f408c
SHA5127bb28d25b45201617415322806694f46f8447cf81ec2b161e7bcf0cd8c1dc2f4411982fe5007645c1d15030f4bc17d5fa2cb8f3b7bc26f6fc301d36d1463b4ac
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
184KB
MD542d97769a8cfdfedac8e03f6903e076b
SHA101c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA51238d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
4.1MB
MD50bce2fed456a72a2486b1d17621c88d6
SHA14cbff382f76920526ec0bc81a05bfd372dd88229
SHA25609d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA51274c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4
-
Filesize
4.1MB
MD50bce2fed456a72a2486b1d17621c88d6
SHA14cbff382f76920526ec0bc81a05bfd372dd88229
SHA25609d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA51274c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4
-
Filesize
4.1MB
MD50bce2fed456a72a2486b1d17621c88d6
SHA14cbff382f76920526ec0bc81a05bfd372dd88229
SHA25609d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA51274c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
501KB
MD5d5752c23e575b5a1a1cc20892462634a
SHA1132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8
-
Filesize
1016KB
MD59116658f4e155e7a053cc0e0f9fc1aed
SHA1ae52cef85d21c96b90d61b9ccf66cc6da52bb9da
SHA2564a26a8c09c779f06c5aea4c99693a041583e2c1ebcfe339412aeecdda6946243
SHA5128fcc39f72e71482c966019ff6adc050c6547507f814994062fdb26109f2c7fe82748528d4414cea4328a14fa1f3a8c4b4bf3529707e05b358b016fdb19548d5f
-
Filesize
1016KB
MD59116658f4e155e7a053cc0e0f9fc1aed
SHA1ae52cef85d21c96b90d61b9ccf66cc6da52bb9da
SHA2564a26a8c09c779f06c5aea4c99693a041583e2c1ebcfe339412aeecdda6946243
SHA5128fcc39f72e71482c966019ff6adc050c6547507f814994062fdb26109f2c7fe82748528d4414cea4328a14fa1f3a8c4b4bf3529707e05b358b016fdb19548d5f
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.1MB
MD56beaa4e2ea0db39aff347b9c04e8a0ba
SHA1e253f412caec1283ea8142a225e039233827d459
SHA2562be8c3b5bc8178e38982858a94f77e24e038910438c699f889421a01b65adadc
SHA5124cf4c763486ca385b7f3825ddc57e8d0b9f8b326e8b0d02e5b2e24c115c48d6ed3b59f255331ff4a29bd7a2e7f4039440972968777460cb3d1ee31097a5e8e3e
-
Filesize
1.1MB
MD56beaa4e2ea0db39aff347b9c04e8a0ba
SHA1e253f412caec1283ea8142a225e039233827d459
SHA2562be8c3b5bc8178e38982858a94f77e24e038910438c699f889421a01b65adadc
SHA5124cf4c763486ca385b7f3825ddc57e8d0b9f8b326e8b0d02e5b2e24c115c48d6ed3b59f255331ff4a29bd7a2e7f4039440972968777460cb3d1ee31097a5e8e3e
-
Filesize
876KB
MD5ab812ed81d5bcda424814481ddbfd16c
SHA14d9ffd7aedb4f67922c5d31b8904ec8bfedad281
SHA256d27388deee0b758f62721895e752b3b6ebc624b258da4525ab98823774c4e7fa
SHA5126a6eac5b1910acc8603fbc5514b7ee4239036b84200de7f23d4b483076f26587b5625b93651674a2ae9c3ead342c283ce6f1edf34a9bddb8b210fd97dadeb91e
-
Filesize
876KB
MD5ab812ed81d5bcda424814481ddbfd16c
SHA14d9ffd7aedb4f67922c5d31b8904ec8bfedad281
SHA256d27388deee0b758f62721895e752b3b6ebc624b258da4525ab98823774c4e7fa
SHA5126a6eac5b1910acc8603fbc5514b7ee4239036b84200de7f23d4b483076f26587b5625b93651674a2ae9c3ead342c283ce6f1edf34a9bddb8b210fd97dadeb91e
-
Filesize
688KB
MD5b73d0f04343d9b5127606a3fc98cb171
SHA175cf2d811bc27fdb2a628345cc3b2e78b6522a60
SHA25681289638915afd121cdb7945f7119bf15d7368d31455461f73cfef2c2c87fc21
SHA512255289249956c2c8d5e5debff2214640914f0344e42a8f048d11c1af7dd7a448ae17d9ce6882bc81e67afbddf1f7be9b4d29a6e0b0e86a00284322b61ab18664
-
Filesize
688KB
MD5b73d0f04343d9b5127606a3fc98cb171
SHA175cf2d811bc27fdb2a628345cc3b2e78b6522a60
SHA25681289638915afd121cdb7945f7119bf15d7368d31455461f73cfef2c2c87fc21
SHA512255289249956c2c8d5e5debff2214640914f0344e42a8f048d11c1af7dd7a448ae17d9ce6882bc81e67afbddf1f7be9b4d29a6e0b0e86a00284322b61ab18664
-
Filesize
514KB
MD56036c3d4b0b7945039e4e74f4320f336
SHA18db45c132c694627df80703b44bcd5aa46aa311e
SHA256967fa3b0b2ea073277e20e1eb5c2d7a7ace1e0abe76acda1d164fee25ad13534
SHA512252b2cb9553a39dd0cb39566eab975ad00081889b0e4d10d194d8e7d0be411f1414ed919159727d1a75cda65fd735e499452e63becaf259cd96cc8b2f4a2841a
-
Filesize
514KB
MD56036c3d4b0b7945039e4e74f4320f336
SHA18db45c132c694627df80703b44bcd5aa46aa311e
SHA256967fa3b0b2ea073277e20e1eb5c2d7a7ace1e0abe76acda1d164fee25ad13534
SHA512252b2cb9553a39dd0cb39566eab975ad00081889b0e4d10d194d8e7d0be411f1414ed919159727d1a75cda65fd735e499452e63becaf259cd96cc8b2f4a2841a
-
Filesize
319KB
MD520c027908129d1d80508dabaf2a6f437
SHA1e897e61f9dfc8196bab72e80c1efcf118d90bef9
SHA2563e0521460aa47978697056ce2a37d49b82402bd73782f9b85dd219fcac06d5c4
SHA5125f929a307ad5930d6a0f0289fb3b76136d5421fd4aef3e0495dc6ad96e4a81d605313efeed557939a4498a38d79cb4f9ace0b35abfbb9fd8a792c7c5e4795175
-
Filesize
319KB
MD520c027908129d1d80508dabaf2a6f437
SHA1e897e61f9dfc8196bab72e80c1efcf118d90bef9
SHA2563e0521460aa47978697056ce2a37d49b82402bd73782f9b85dd219fcac06d5c4
SHA5125f929a307ad5930d6a0f0289fb3b76136d5421fd4aef3e0495dc6ad96e4a81d605313efeed557939a4498a38d79cb4f9ace0b35abfbb9fd8a792c7c5e4795175
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
223KB
MD5e3403b7f02a1afcce3303d7f616863e4
SHA1f8ba5ef789f0be6622336429014bfb23f798a843
SHA256c9f99c90b1cb1644084114d08e1ee6d84d69523e21f1e718684dea2b7cd4afcf
SHA51201e087bb190f95bb23376ddf742e1c4a91351756b94e636c36ff1cc59e449b4dcf73915a49edeec5844fe73528d289680a1a36293ff150aec79a3a4a89c3e338
-
Filesize
223KB
MD5e3403b7f02a1afcce3303d7f616863e4
SHA1f8ba5ef789f0be6622336429014bfb23f798a843
SHA256c9f99c90b1cb1644084114d08e1ee6d84d69523e21f1e718684dea2b7cd4afcf
SHA51201e087bb190f95bb23376ddf742e1c4a91351756b94e636c36ff1cc59e449b4dcf73915a49edeec5844fe73528d289680a1a36293ff150aec79a3a4a89c3e338
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9