Analysis
-
max time kernel
1800s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2023 15:12
Behavioral task
behavioral1
Sample
deploy.exe
Resource
win10v2004-20231020-en
General
-
Target
deploy.exe
-
Size
63KB
-
MD5
6f92c594e253457f848f01bac27814d5
-
SHA1
9d29ff1372582e71bfcf37b9eba3063cc7febc08
-
SHA256
1f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
-
SHA512
30573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c
-
SSDEEP
768:Rd5nVhwdjndk78TQC8A+XiuazcBRL5JTk1+T4KSBGHmDbD/ph0oX9ASuAdpqKYhg:ZnSdsNdSJYUbdh99HuAdpqKmY7
Malware Config
Extracted
asyncrat
Default
H伊8jWaCωdcΓP8吾קtרXovNF3
-
delay
1
-
install
true
-
install_file
daemon.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/L7WhRmt9
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
146.19.230.52:4456
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3596-585-0x000000001EDD0000-0x000000001EEF2000-memory.dmp family_stormkitty -
Async RAT payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/5028-0-0x0000000000960000-0x0000000000976000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\daemon.exe asyncrat C:\Users\Admin\AppData\Roaming\daemon.exe asyncrat behavioral1/memory/3596-20-0x0000000002F40000-0x0000000002F74000-memory.dmp asyncrat behavioral1/memory/3596-22-0x000000001DD70000-0x000000001DD94000-memory.dmp asyncrat behavioral1/memory/3596-23-0x000000001DE90000-0x000000001DEAC000-memory.dmp asyncrat behavioral1/memory/3596-24-0x000000001DB70000-0x000000001DB8A000-memory.dmp asyncrat behavioral1/memory/3596-25-0x000000001C7C0000-0x000000001C7F2000-memory.dmp asyncrat behavioral1/memory/3596-26-0x000000001C6E0000-0x000000001C712000-memory.dmp asyncrat behavioral1/memory/3596-708-0x000000001EEF0000-0x000000001F078000-memory.dmp asyncrat -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
daemon.exeubiopn.exedeploy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation daemon.exe Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation ubiopn.exe Key value queried \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Control Panel\International\Geo\Nation deploy.exe -
Drops startup file 2 IoCs
Processes:
Dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Dllhost.exe -
Executes dropped EXE 3 IoCs
Processes:
daemon.exeubiopn.exeDllhost.exepid process 3596 daemon.exe 2000 ubiopn.exe 3540 Dllhost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3920-570-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/3920-572-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/3920-574-0x0000000000400000-0x0000000000472000-memory.dmp upx behavioral1/memory/3920-579-0x0000000000400000-0x0000000000472000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
daemon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 daemon.exe Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 daemon.exe Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 daemon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Windows\\Dllhost.exe\" .." Dllhost.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
daemon.exedescription ioc process File opened for modification \??\c:\users\admin\desktop\desktop.ini daemon.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 196 ip-api.com 382 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Dllhost.exedescription pid process target process PID 3540 set thread context of 3920 3540 Dllhost.exe vbc.exe -
Drops file in Windows directory 58 IoCs
Processes:
mmc.exeubiopn.exedescription ioc process File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\Dllhost.exe ubiopn.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 20 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
mmc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exedaemon.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 daemon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier daemon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 412 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
iexplore.exeIEXPLORE.EXEexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "97001853" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31065541" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "97001853" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0764507c505da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{315E97B4-71B8-11EE-97DE-CE881E08C42C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000019be2f1b0c83324497d95522f5d0f46a00000000020000000000106600000001000020000000b6ec1a27f457303717dc3bdd43232f0e6197b5ac22f4cf865ca6d7c8cd5cc478000000000e8000000002000020000000c2242f9b42d5570037499f46b715e759181d4d85d2d5469a11fed90ab75fc2972000000028cbe25682a94218e55f8fd89789867cc41dd09ad83f63d07e1d3afb573e8ff040000000150d12523a22a829666981c2943297d5a212f0d37919942684a85698898f321908df41ea1a2046110ca2bc6a57608772f657b7c02c76db6ab68461a4992e9a24 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000019be2f1b0c83324497d95522f5d0f46a00000000020000000000106600000001000020000000b077dc0bfea080d5baac6db57d0ac293db798182f0033cfd63229b0f18a6dc21000000000e80000000020000200000009140d1568e3c88b3eb0583f73fc96747ce4eeee6078f2059e9edb1030d47e841200000001e0933d42e40f0dde959eb6e7ac3ec1223c630ddee9ce805c67446f4b96d89c640000000529ec0243ba368f0164ca4198b16091b88e961f02fcff057f2e43871c1f31a176d98f27f82d2dcee86b7651e61f0d33d22d0d00ef1e2909d3b4e569f417efb54 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c08f3907c505da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31065541" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133425481971808231" chrome.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39050000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
daemon.exeexplorer.exeexplorer.exepid process 3596 daemon.exe 412 explorer.exe 1284 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
deploy.exedaemon.exepid process 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 5028 deploy.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe 3596 daemon.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Dllhost.exedaemon.exepid process 3540 Dllhost.exe 3596 daemon.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
chrome.exepid process 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
deploy.exedaemon.exepowershell.exeDllhost.exeexplorer.exemmc.exechrome.exedescription pid process Token: SeDebugPrivilege 5028 deploy.exe Token: SeDebugPrivilege 3596 daemon.exe Token: SeDebugPrivilege 332 powershell.exe Token: SeDebugPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: SeShutdownPrivilege 412 explorer.exe Token: SeCreatePagefilePrivilege 412 explorer.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 4976 mmc.exe Token: SeIncBasePriorityPrivilege 4976 mmc.exe Token: 33 4976 mmc.exe Token: SeIncBasePriorityPrivilege 4976 mmc.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: 33 3540 Dllhost.exe Token: SeIncBasePriorityPrivilege 3540 Dllhost.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe Token: SeShutdownPrivilege 3156 chrome.exe Token: SeCreatePagefilePrivilege 3156 chrome.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
explorer.exechrome.exeiexplore.exeexplorer.exepid process 412 explorer.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 5804 iexplore.exe 1284 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
daemon.exemmc.exeiexplore.exeIEXPLORE.EXEpid process 3596 daemon.exe 4976 mmc.exe 4976 mmc.exe 5804 iexplore.exe 5804 iexplore.exe 5900 IEXPLORE.EXE 5900 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
deploy.execmd.execmd.exedaemon.execmd.execmd.exepowershell.exeubiopn.exechrome.exedescription pid process target process PID 5028 wrote to memory of 404 5028 deploy.exe cmd.exe PID 5028 wrote to memory of 404 5028 deploy.exe cmd.exe PID 5028 wrote to memory of 4828 5028 deploy.exe cmd.exe PID 5028 wrote to memory of 4828 5028 deploy.exe cmd.exe PID 404 wrote to memory of 3908 404 cmd.exe schtasks.exe PID 404 wrote to memory of 3908 404 cmd.exe schtasks.exe PID 4828 wrote to memory of 412 4828 cmd.exe timeout.exe PID 4828 wrote to memory of 412 4828 cmd.exe timeout.exe PID 4828 wrote to memory of 3596 4828 cmd.exe daemon.exe PID 4828 wrote to memory of 3596 4828 cmd.exe daemon.exe PID 3596 wrote to memory of 2920 3596 daemon.exe cmd.exe PID 3596 wrote to memory of 2920 3596 daemon.exe cmd.exe PID 2920 wrote to memory of 1580 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 1580 2920 cmd.exe PING.EXE PID 3596 wrote to memory of 4608 3596 daemon.exe cmd.exe PID 3596 wrote to memory of 4608 3596 daemon.exe cmd.exe PID 4608 wrote to memory of 332 4608 cmd.exe powershell.exe PID 4608 wrote to memory of 332 4608 cmd.exe powershell.exe PID 332 wrote to memory of 2000 332 powershell.exe ubiopn.exe PID 332 wrote to memory of 2000 332 powershell.exe ubiopn.exe PID 332 wrote to memory of 2000 332 powershell.exe ubiopn.exe PID 2000 wrote to memory of 3540 2000 ubiopn.exe Dllhost.exe PID 2000 wrote to memory of 3540 2000 ubiopn.exe Dllhost.exe PID 2000 wrote to memory of 3540 2000 ubiopn.exe Dllhost.exe PID 3156 wrote to memory of 2332 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2332 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe PID 3156 wrote to memory of 2992 3156 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
daemon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 daemon.exe -
outlook_win_path 1 IoCs
Processes:
daemon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 daemon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\deploy.exe"C:\Users\Admin\AppData\Local\Temp\deploy.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "daemon" /tr '"C:\Users\Admin\AppData\Roaming\daemon.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "daemon" /tr '"C:\Users\Admin\AppData\Roaming\daemon.exe"'3⤵
- Creates scheduled task(s)
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp366.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:412 -
C:\Users\Admin\AppData\Roaming\daemon.exe"C:\Users\Admin\AppData\Roaming\daemon.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3596 -
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\system32\PING.EXEping cloudflare.com5⤵
- Runs ping.exe
PID:1580 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"'5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"C:\Users\Admin\AppData\Local\Temp\ubiopn.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Dllhost.exe"C:\Windows\Dllhost.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3540 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\3552883"8⤵PID:3920
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵PID:716
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:2244
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵PID:1612
-
C:\Windows\system32\findstr.exefindstr All5⤵PID:4476
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵PID:4316
-
C:\Windows\system32\chcp.comchcp 650015⤵PID:2512
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵PID:5564
-
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵PID:5180
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get caption5⤵PID:5200
-
C:\Windows\SYSTEM32\cmd.exe"cmd"4⤵PID:3480
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2704
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1812
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:412
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4948
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4976
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffdbc859758,0x7ffdbc859768,0x7ffdbc8597782⤵PID:2332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:1588
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:22⤵PID:2992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:1832
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:2396
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:656
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4652 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:4640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4776 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:1540
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:2956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4956 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:3828
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3396 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:1124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:2084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5000 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:4080
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5640 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:1984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4784 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:2280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5984 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:4928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5916 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:4696
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6476 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:2892
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6356 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:1092
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6236 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:2960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7056 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:12⤵PID:5196
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 --field-trial-handle=1916,i,3256368676407802205,8344109765142389448,131072 /prefetch:82⤵PID:5436
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1072
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\SetWatch.gif1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5804 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5804 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x490 0x1501⤵PID:3448
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4560
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
PID:1284
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3348
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5795015f142709fa6089b2321d47d2486
SHA19bee09b441ededcaeb74dc4ce1fe093764b1014d
SHA2562ad352af06f99e3ca85b9a76d2df974c26e22f7f6628d4bc30649246dafe17ef
SHA51226f3738ea3c38a6cf30a6ac7582e26313b8a9a27d3b6e48f6e09b3c16d58d4320e588586c4dfb7346bb02f62273c914542b642f6f3886433989a4b59be1db95d
-
Filesize
1KB
MD54a6ae5cdd48991abea116fcdbb96b53d
SHA1ae5449643a0c7c5ac793affaa433c8b51dc091be
SHA256944bf43318a9eb6e1d998286c3a65fdc12bb774dcb8f2f2b770f741bde913e65
SHA512bd52d762db07621901655c68936d10eee8a2117bff8135877601b63adee747f88b81859009bbdbc9acd963a5f364ac222e0f3d2197f04cb2da230b5cc5b43b42
-
Filesize
148KB
MD508c1405bb88892c6b11cab3ac01aea48
SHA1fdf9ebf1f5d224c09367d137b2058af516d2b189
SHA256aa2631f8a8c28d797cb41c1be7367a35d49e824f0a3e0e36664c1fdafbdaf4e5
SHA5127f20070b3c185d3cdda799076ec53c8a76efb3d4304d068b4a47a244a5cade2adf6f2c2f21c5c645682fc1243ad245d41533f5e3c86cb48756fbb725ea7abc3b
-
Filesize
28KB
MD55819f7d446fa6567376fc40af5a6496f
SHA1a80be4c53ef2ddaf0e725bc1c335f442c573130a
SHA25657417cefd9e1d1d057461b1ff3505369f52e258ed9c48820f8c7b21260a7256b
SHA512367a54f96c337315b5f9f1f579e0c392e83dbf8833db46d29b7ff05f541b7752a925da9a4ac58106a9338c016464b87d29cddafe7935afcc2c76f99c90fd45b9
-
Filesize
9KB
MD5b7b68b1e6904a475329199ba5b926943
SHA182cc83a3f9ce03c3d78a1a95a16f9bb8c0bbdf1d
SHA2561341cf9ff429ba2ee8977987219b85727ac8662697d33e5c94f4cb26e5114289
SHA5128dc00599bb896e13b50e810c1ca3a708ddaf6c68312085335641fcd3bb9ba3db02382614d54c3785c2b202d8a4b0970ab7f4d0c63ece3ca86eacb96c6058b55e
-
Filesize
1KB
MD532c398ec30175351b426f3b87423812f
SHA1ed8eef6cb2b5c597ebfe053d878562c4daa5d82b
SHA25688031992d3c270f810b3a4d00f9c0b618f62e4c2c78106139e72b20ba06b5623
SHA512d7573c3990999eb3b94f815bd57608a84cbe65187d2025e4df9b357b6f50c5d373b59b93302c074989812a260d3cc4697e725066c0ee2fe29547bdc04c951dfc
-
Filesize
2KB
MD5f6cb7ea41f05db0529370f044a9ce583
SHA12add3a58ed4eb1b5f8ac35eb407ac4ab6a18670e
SHA25668d49014ae66ae418110014558dad279c108e05efc1233b5fc27723ee489d9fc
SHA512fcf124f6eb9a6ddd7f44bdbc228dd3063c83640e96939e0b453e6d098cde71ec4c4baed3e68aa3bd01841c6675f8b8d48def8ec7f8fcae71ddec5666e7f65aa6
-
Filesize
5KB
MD51a528de544406313a6d7a5e47c67fb46
SHA10194f3b049e572dd724a835b6bfe207213c7c429
SHA2567f3ade6532fd1b0f443ec595264a8906a670c22f79a7c24c2ce5796886dbc424
SHA512101e032633b07231a39bf1f821569b51231e785f6f3d65313e5be5aff99421de36c149d5e3ef70b5ab40254607c6cf074fdcfb73b5ed18a453628cec014be877
-
Filesize
6KB
MD55238faa390b9aa1e362922f8c681a87a
SHA1ab9376a0c11b423b0eb8b4498966bd060008fa1b
SHA256fc67c8b9e36e272de5c69373be4ef46df5ec923ad81859231dcdeeb0325cd9c1
SHA512b3a6c8cf17096f51397894f5748afb871e52aa5e7f78b8d61dca529e3a7368ad86fde58bae65cf8e8b053fadb64ac42e0ffeb10e5816ea41a5ecbbf6a5b6059a
-
Filesize
6KB
MD52dcf57b271b282eeb5f0ccb68f143fd0
SHA131f812f21201f38f90e25e20509fecab46248a17
SHA256a04b529525bc328d5ea870a15f7eb10216d5e9ae4d2a01afa5bde57fa8f21571
SHA51234aa79eba566eb8000ec01239a313d78fc5b92d1dcddd812b8506f1b9c4a4e478914b6e9fd0f04a7f1b825633de1304e96d0d479f9441103b6617862bbecbaec
-
Filesize
214KB
MD58fb62f36defde9d06e3f9460a444aa64
SHA1de10b9f36561d7e491fd7e6dec1f48b5a912d403
SHA256e7c0d4917ef869c5c2f7985d5bd7505b11e8eadd6a6badc4c775400bd2d218e4
SHA5122044211b628b4bfec1cbd2024bf2a5fb523887f50b31661d1526c10eaebf73feb5f9b0d4da8eb421c21c2a675fc214e3679dcf72cacd6cf46c3857aa5d863e86
-
Filesize
214KB
MD5795015f142709fa6089b2321d47d2486
SHA19bee09b441ededcaeb74dc4ce1fe093764b1014d
SHA2562ad352af06f99e3ca85b9a76d2df974c26e22f7f6628d4bc30649246dafe17ef
SHA51226f3738ea3c38a6cf30a6ac7582e26313b8a9a27d3b6e48f6e09b3c16d58d4320e588586c4dfb7346bb02f62273c914542b642f6f3886433989a4b59be1db95d
-
Filesize
264KB
MD5cabd903700714207c7fd8cc5396a4ad4
SHA171eed2eb47a1cf063cf9f3f7fa53c5f1baf14f0d
SHA2567a1c38177694d4bd0a89a19694a630e6969cd1a38249b6c217695405d46f505e
SHA512839a2868b2052fa2b79ee302fb6ade36edcd1420989b873df865703388f2ab2394380585252848f4dfd04b2308d6b6f8e320e6bb1e05791bd7b078402a61461a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
96B
MD54f0f313d090a031e7bfffba76d78ecab
SHA10d577bc0155b493820fb9fd842e3dde629b90459
SHA256a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e
SHA51251824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD5c65a5ec2f7cb73f8b07a7a4c2b4d0dd7
SHA1ec48f83662a188a8e781eb1064d5e9742eea805c
SHA256808bef1d0266bd27eb035b1cde7a60155b98dab7f7a784d3cef0af8e0d8a5f78
SHA512bcc6e5e824fec004e7aa9b44148937fe2469a590dad102aee39444784451d4e9cec25d8cb98b21cfeebd8e56f3f6c984a4d8e336fbeca6bc2b10ba3b3a69df45
-
Filesize
149B
MD545b0675d208b1d3d0112e192f9921399
SHA181fc92d006682e30bb7ddbc72e625109870780c6
SHA256795b6a92e02da7332f2dc31badf9c66202f2e9bbd1a69c8a31c7938889264958
SHA512263c1611ef8991ca604e42eb1899d6e90038bb44d14d927dc05538dbc76b124fce18a42deecdd08855096c4696003f29ebdf4175fdfd4284b287da0fe4405b63
-
Filesize
92KB
MD5a1916d46bdcfc6da28e7264e80531a25
SHA165680db48ad5945daabbe130a1f71d11b7203466
SHA2561dda7ecfe80d22c8f009e1ba936263836bedfbd361c0c22d25651e6a8c604366
SHA512564966772c3b2b33539bfa0a64da13150b9a980af061870a5e02d2a69836a52baef34b7cfe0d1833076cabb62ce92f3aaa89439adafe8496b71a43396eeba740
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
28KB
MD55819f7d446fa6567376fc40af5a6496f
SHA1a80be4c53ef2ddaf0e725bc1c335f442c573130a
SHA25657417cefd9e1d1d057461b1ff3505369f52e258ed9c48820f8c7b21260a7256b
SHA512367a54f96c337315b5f9f1f579e0c392e83dbf8833db46d29b7ff05f541b7752a925da9a4ac58106a9338c016464b87d29cddafe7935afcc2c76f99c90fd45b9
-
Filesize
148KB
MD508c1405bb88892c6b11cab3ac01aea48
SHA1fdf9ebf1f5d224c09367d137b2058af516d2b189
SHA256aa2631f8a8c28d797cb41c1be7367a35d49e824f0a3e0e36664c1fdafbdaf4e5
SHA5127f20070b3c185d3cdda799076ec53c8a76efb3d4304d068b4a47a244a5cade2adf6f2c2f21c5c645682fc1243ad245d41533f5e3c86cb48756fbb725ea7abc3b
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
43KB
MD5a463c96ab06522c82bf208e024dea808
SHA197f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA51259238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3
-
Filesize
43KB
MD5a463c96ab06522c82bf208e024dea808
SHA197f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA51259238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize537B
MD5c45e92b49cefd822dcad5307b93742b9
SHA16f177e99d7ba3da15a9d48f7501b9852e5aae5cf
SHA256594dffe5b5babf5dabec1c3e44eecd82e08a5cfab7bdfec036e215edc1ff254d
SHA5121589ca8ff5b8772cb46ed35f9c86909ce417dc41c8f1c7e7a93775049c76de3e774e87b66a0d4b6c0394d608a9c9a1207355d9f675185bb86813b44cd38edc01
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize1KB
MD56bd0f1a45810883d075cef9c02545103
SHA13596130fb98ab71914a3cfa34da3fb3d89eabd98
SHA2566705e7a6079f141a6af87e416d04c2d18d48baaa6820780baae424beabdeda04
SHA5124bcb0dd32f681c71f3e3591810e7928315485283cbc975fadf08b1a0ec2c9ec74cd2f67a66a143f52f6aaa9659ad7cd7931d908848082353d2f4192b3a0881f8
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize1KB
MD5529ea0290ba5b3b0ae6395fe76702246
SHA1c68402680ae9c02bf950df0fb32f13203d45a3fe
SHA25698337f6a4f06c3c67eb49eefc9dd2fb9a7f91c04825f8bfb8f3dd659e98b05fa
SHA51280ef1e2ba3374897c7f08fe4a24de19cce6eb9422ffdaf084cba89e9e8c2084fae1987bb2cd7524a6710ee41f0ae0a4a91f23a27f1468a2d8cc22b224e90982c
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize2KB
MD53090c96f7d51f90d0bafa5192f95669b
SHA1e525c67bdbc7085d2b999da9505526d9f0dbee87
SHA2566d00150f81bf508bedd06988f8cde6a310092951062a141cf204f37d5df9d452
SHA512b5793d515d65cfc64ebe449aaa3e0e23f032b5700bcfa9f5241157d22b39d5041e2b826420fe324bdfc4295b4e023f2de83760b7ee2c7d1a24f8c733c43a621f
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize3KB
MD5f4b1d92405ca45b7ad0b0afaebe6b28d
SHA1546703100a113153d439abba13951d21feb5bccd
SHA25632cdefd333f5f9fcb0d548abbe5aa9fdc521ccd9095de77ab70dfe605e6bb9c7
SHA512e1b0aeb701eded20e6cce84dac7d1814ea1b6796e7bb6418ce4bd9f4708b41b914f42c22bb201d139da58be3925a40121705f92b699c9b4ec40e46165c7d973c
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize3KB
MD5ddb12b5a703d028d1db9049fcd1c9389
SHA1e18f1cbe3d92d7b4569d8e4eb625a3da80cd8fc4
SHA25665cac3ed6fb71250d187d27b065233b5f469dbb252a6f973e8760962c5dd17db
SHA512f5cdfa20e8216247e1472c6389b6fef8523d0465ac287c4b797e87f3035ed3fec2f9c712975e775a22f247cebe582ae57a4c47c0072512693fa89c2b488efab2
-
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
Filesize4KB
MD5b29c299302f6bf152e97f54c7dfc1d6f
SHA124fc81371958de96f0fd17a68c3239004e30dd6b
SHA256bec2381ab2269615dfa991b28d37c45cce04ee6e2ca99828208ed3ce247db028
SHA512bd3715d0497db6d7a47c94a3d32f8f128ad9911a467dcbcda456d1f3b4dfb77c2b0ab6edaa5f0a2d5987c2a60cdc08d54e245955f05a7c699fe826327d7a92fd
-
Filesize
63KB
MD56f92c594e253457f848f01bac27814d5
SHA19d29ff1372582e71bfcf37b9eba3063cc7febc08
SHA2561f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
SHA51230573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c
-
Filesize
63KB
MD56f92c594e253457f848f01bac27814d5
SHA19d29ff1372582e71bfcf37b9eba3063cc7febc08
SHA2561f41ecd3c862c4957dc7e09fede95bddcf43ebcab44fe946d72ff6abb75d030a
SHA51230573565a27010e037c06741577bf5fb5bf1069f518d81e9b62fc207968974a038a7f5dabbcd5a40f0fc0e2d0ecfab3aebe2e88ef5bbbf105c55d0edcaf7662c
-
Filesize
43KB
MD5a463c96ab06522c82bf208e024dea808
SHA197f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA51259238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3
-
Filesize
43KB
MD5a463c96ab06522c82bf208e024dea808
SHA197f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA51259238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3
-
Filesize
43KB
MD5a463c96ab06522c82bf208e024dea808
SHA197f88b3f7369e2a6b4ebe984f2d5205bd42c8730
SHA256f77b0622c90ed9b471255f247a329022811b39bfde2cfe8ed764faa169147aa6
SHA51259238793842d50c4ee68cc8e8f85c82c871717d1c18bb924a932cb51ab9a786a3eeb4284b1b96da86196466c9446830687aef22b5d01db2ea706ee665d8ae8d3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e