Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2023, 07:55
Static task
static1
Behavioral task
behavioral1
Sample
d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe
Resource
win10v2004-20231023-en
General
-
Target
d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe
-
Size
1.5MB
-
MD5
0992b9c2013dc98236992b92ed7bac8e
-
SHA1
8911ace3f4af2e71d13ce5bc2f3191298984c302
-
SHA256
d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31
-
SHA512
d72560669a9115fb1fd9bd0745369de7dacab389807793d10f5add1af14b2f5a6772a17d084b81c741a901654dcb9db69b5343c15fb33634f91178a0d8ed5daa
-
SSDEEP
24576:syRIEWMJCscskhkJOATfwsyAWUhB4Xoc2Eujxq8vpHH4DxLHy0VE07Z5q:bRIEM2dcVmzjxn49L9n
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe 2452 schtasks.exe 5676 schtasks.exe 632 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/4084-739-0x00000000006D0000-0x0000000000AB0000-memory.dmp family_zgrat_v1 -
Glupteba payload 5 IoCs
resource yara_rule behavioral1/memory/312-836-0x0000000002D80000-0x000000000366B000-memory.dmp family_glupteba behavioral1/memory/312-837-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/312-928-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/312-1000-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/1048-1149-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" F3AB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" F3AB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" F3AB.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" F3AB.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" F3AB.exe -
Raccoon Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/856-961-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/856-966-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/856-971-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/1088-66-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral1/memory/4472-523-0x0000000000480000-0x00000000004DA000-memory.dmp family_redline behavioral1/memory/4472-569-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/6064-603-0x0000000000510000-0x000000000054E000-memory.dmp family_redline behavioral1/memory/1944-718-0x0000000000550000-0x00000000005AA000-memory.dmp family_redline behavioral1/memory/1944-757-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/5068-1185-0x0000000000800000-0x000000000083E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2840 created 3376 2840 latestX.exe 36 PID 2840 created 3376 2840 latestX.exe 36 PID 2840 created 3376 2840 latestX.exe 36 PID 2840 created 3376 2840 latestX.exe 36 PID 2840 created 3376 2840 latestX.exe 36 PID 224 created 3376 224 updater.exe 36 PID 224 created 3376 224 updater.exe 36 PID 224 created 3376 224 updater.exe 36 PID 224 created 3376 224 updater.exe 36 PID 224 created 3376 224 updater.exe 36 PID 224 created 3376 224 updater.exe 36 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1240 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation kos4.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 5lX8PJ3.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation 229D.exe -
Executes dropped EXE 47 IoCs
pid Process 3344 xl1Gm89.exe 1080 kJ9DB98.exe 4744 dw3ab52.exe 3512 DC1fX52.exe 2416 Mo9XG69.exe 4484 1BE68Fe2.exe 2336 2zC1424.exe 820 3As08SU.exe 5068 4Bm839RL.exe 4604 5lX8PJ3.exe 3272 explothe.exe 2804 6Hd3KS7.exe 2616 7nQ3tg38.exe 6044 EF32.exe 6132 F00E.exe 5824 ex8QX0jl.exe 5624 ke2Ql4ic.exe 5688 iY9AY6Py.exe 5500 F2A0.exe 5488 av8tT7AK.exe 5548 1og51cM3.exe 5580 F3AB.exe 2616 F532.exe 4472 F718.exe 6064 2vX306MS.exe 6000 229D.exe 4528 2425.exe 1944 261A.exe 5744 toolspub2.exe 312 31839b57a4f11171d6abc8bbc4451ee4.exe 5740 kos4.exe 2840 latestX.exe 4084 powershell.exe 3636 LzmwAqmV.exe 5856 LzmwAqmV.tmp 1444 toolspub2.exe 1560 explothe.exe 3764 powershell.exe 1616 zDriveTools.exe 1048 31839b57a4f11171d6abc8bbc4451ee4.exe 448 7640.exe 2436 csrss.exe 224 updater.exe 312 injector.exe 5436 windefender.exe 4148 windefender.exe 5144 explothe.exe -
Loads dropped DLL 9 IoCs
pid Process 4472 F718.exe 4472 F718.exe 1944 261A.exe 1944 261A.exe 5856 LzmwAqmV.tmp 5856 LzmwAqmV.tmp 5856 LzmwAqmV.tmp 4084 powershell.exe 5996 rundll32.exe -
resource yara_rule behavioral1/memory/5436-1334-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" F3AB.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" dw3ab52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ex8QX0jl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ke2Ql4ic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" av8tT7AK.exe Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xl1Gm89.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" kJ9DB98.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" EF32.exe Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\2425.exe'\"" 2425.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" iY9AY6Py.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" DC1fX52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" Mo9XG69.exe Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 9 IoCs
description pid Process procid_target PID 4484 set thread context of 2868 4484 1BE68Fe2.exe 94 PID 2336 set thread context of 4636 2336 2zC1424.exe 98 PID 5068 set thread context of 1088 5068 4Bm839RL.exe 103 PID 5548 set thread context of 4832 5548 1og51cM3.exe 174 PID 5744 set thread context of 1444 5744 toolspub2.exe 193 PID 4084 set thread context of 856 4084 powershell.exe 229 PID 448 set thread context of 5068 448 7640.exe 238 PID 224 set thread context of 4828 224 updater.exe 281 PID 224 set thread context of 4636 224 updater.exe 282 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 26 IoCs
description ioc Process File created C:\Program Files (x86)\Drive Tools\is-K2VNH.tmp LzmwAqmV.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files (x86)\Drive Tools\is-6DQAU.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-OMC5B.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-85IJH.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-VGR49.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-BTT3J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-LR0FV.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-29O5R.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-D5I1Q.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-K4R5J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-43D2J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-VFR1V.tmp LzmwAqmV.tmp File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files (x86)\Drive Tools\is-30O5P.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-0O9RL.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-OF3QI.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-7GE68.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-SS2EV.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-EEE03.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\Lang\is-M1CT9.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-IQVGU.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-UKKH7.tmp LzmwAqmV.tmp -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune F718.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5684 sc.exe 4636 sc.exe 5672 sc.exe 1192 sc.exe 1644 sc.exe 5712 sc.exe 4932 sc.exe 2900 sc.exe 4460 sc.exe 5748 sc.exe 5188 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 4708 4636 WerFault.exe 98 4784 4472 WerFault.exe 167 4256 4832 WerFault.exe 174 4376 1944 WerFault.exe 181 4796 856 WerFault.exe 204 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3As08SU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3As08SU.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3As08SU.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2452 schtasks.exe 5676 schtasks.exe 632 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" windefender.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" windefender.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2868 AppLaunch.exe 2868 AppLaunch.exe 820 3As08SU.exe 820 3As08SU.exe 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE 3376 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 656 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 820 3As08SU.exe 1444 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2868 AppLaunch.exe Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 5580 F3AB.exe Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeDebugPrivilege 5740 kos4.exe Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE Token: SeCreatePagefilePrivilege 3376 Explorer.EXE Token: SeShutdownPrivilege 3376 Explorer.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 5856 LzmwAqmV.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe 3748 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3376 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 3344 4988 d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe 88 PID 4988 wrote to memory of 3344 4988 d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe 88 PID 4988 wrote to memory of 3344 4988 d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe 88 PID 3344 wrote to memory of 1080 3344 xl1Gm89.exe 89 PID 3344 wrote to memory of 1080 3344 xl1Gm89.exe 89 PID 3344 wrote to memory of 1080 3344 xl1Gm89.exe 89 PID 1080 wrote to memory of 4744 1080 kJ9DB98.exe 90 PID 1080 wrote to memory of 4744 1080 kJ9DB98.exe 90 PID 1080 wrote to memory of 4744 1080 kJ9DB98.exe 90 PID 4744 wrote to memory of 3512 4744 dw3ab52.exe 91 PID 4744 wrote to memory of 3512 4744 dw3ab52.exe 91 PID 4744 wrote to memory of 3512 4744 dw3ab52.exe 91 PID 3512 wrote to memory of 2416 3512 DC1fX52.exe 92 PID 3512 wrote to memory of 2416 3512 DC1fX52.exe 92 PID 3512 wrote to memory of 2416 3512 DC1fX52.exe 92 PID 2416 wrote to memory of 4484 2416 Mo9XG69.exe 93 PID 2416 wrote to memory of 4484 2416 Mo9XG69.exe 93 PID 2416 wrote to memory of 4484 2416 Mo9XG69.exe 93 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 4484 wrote to memory of 2868 4484 1BE68Fe2.exe 94 PID 2416 wrote to memory of 2336 2416 Mo9XG69.exe 95 PID 2416 wrote to memory of 2336 2416 Mo9XG69.exe 95 PID 2416 wrote to memory of 2336 2416 Mo9XG69.exe 95 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 2336 wrote to memory of 4636 2336 2zC1424.exe 98 PID 3512 wrote to memory of 820 3512 DC1fX52.exe 99 PID 3512 wrote to memory of 820 3512 DC1fX52.exe 99 PID 3512 wrote to memory of 820 3512 DC1fX52.exe 99 PID 4744 wrote to memory of 5068 4744 dw3ab52.exe 102 PID 4744 wrote to memory of 5068 4744 dw3ab52.exe 102 PID 4744 wrote to memory of 5068 4744 dw3ab52.exe 102 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 5068 wrote to memory of 1088 5068 4Bm839RL.exe 103 PID 1080 wrote to memory of 4604 1080 kJ9DB98.exe 104 PID 1080 wrote to memory of 4604 1080 kJ9DB98.exe 104 PID 1080 wrote to memory of 4604 1080 kJ9DB98.exe 104 PID 4604 wrote to memory of 3272 4604 5lX8PJ3.exe 105 PID 4604 wrote to memory of 3272 4604 5lX8PJ3.exe 105 PID 4604 wrote to memory of 3272 4604 5lX8PJ3.exe 105 PID 3344 wrote to memory of 2804 3344 xl1Gm89.exe 106 PID 3344 wrote to memory of 2804 3344 xl1Gm89.exe 106 PID 3344 wrote to memory of 2804 3344 xl1Gm89.exe 106 PID 3272 wrote to memory of 2452 3272 explothe.exe 107 PID 3272 wrote to memory of 2452 3272 explothe.exe 107 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe"C:\Users\Admin\AppData\Local\Temp\d883eec3d671584b0d6d28daa6dbd5f4ebc2a6a9cbd7ebbb908b3ec219cedf31.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xl1Gm89.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJ9DB98.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dw3ab52.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\DC1fX52.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Mo9XG69.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BE68Fe2.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2zC1424.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵PID:4636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 54010⤵
- Program crash
PID:4708
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3As08SU.exe7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:820
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4Bm839RL.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1088
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5lX8PJ3.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
PID:2452
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵PID:1568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3136
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"8⤵PID:2976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E8⤵PID:4768
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4780
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:3768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:4876
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:5996
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Hd3KS7.exe4⤵
- Executes dropped EXE
PID:2804
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe3⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BE4F.tmp\BE50.tmp\BE51.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7nQ3tg38.exe"4⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3748 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c47186⤵PID:2240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:16⤵PID:3460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:16⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:86⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2912 /prefetch:36⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2860 /prefetch:26⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:16⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:16⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:16⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:16⤵PID:4780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:86⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:86⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:16⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:16⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3468 /prefetch:86⤵PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:16⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:16⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:16⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:16⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:16⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,10074865653505056308,8178467339755119653,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:26⤵PID:4644
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/5⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c47186⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13715077489350696047,2584934161393044779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:36⤵PID:1352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13715077489350696047,2584934161393044779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:26⤵PID:3092
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/5⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c47186⤵PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,17090615230723913346,18305231615301296474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:36⤵PID:1944
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EF32.exeC:\Users\Admin\AppData\Local\Temp\EF32.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ex8QX0jl.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ke2Ql4ic.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iY9AY6Py.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iY9AY6Py.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5688 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\av8tT7AK.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\av8tT7AK.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5488 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1og51cM3.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1og51cM3.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 5409⤵
- Program crash
PID:4256
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2vX306MS.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2vX306MS.exe7⤵
- Executes dropped EXE
PID:6064
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\F00E.exeC:\Users\Admin\AppData\Local\Temp\F00E.exe2⤵
- Executes dropped EXE
PID:6132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F196.bat" "2⤵PID:5728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c47184⤵PID:3512
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:180
-
-
-
C:\Users\Admin\AppData\Local\Temp\F2A0.exeC:\Users\Admin\AppData\Local\Temp\F2A0.exe2⤵
- Executes dropped EXE
PID:5500
-
-
C:\Users\Admin\AppData\Local\Temp\F3AB.exeC:\Users\Admin\AppData\Local\Temp\F3AB.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
C:\Users\Admin\AppData\Local\Temp\F532.exeC:\Users\Admin\AppData\Local\Temp\F532.exe2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\F718.exeC:\Users\Admin\AppData\Local\Temp\F718.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4472 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 7843⤵
- Program crash
PID:4784
-
-
-
C:\Users\Admin\AppData\Local\Temp\229D.exeC:\Users\Admin\AppData\Local\Temp\229D.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:6000 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5744 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1444
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5584
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5448
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:5888
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1240
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
PID:4084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3868
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:2436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2428 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:856
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:5676 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4460
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:2192
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4608
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5572
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:312
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:632
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:5436 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:840
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:5188
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos4.exe"C:\Users\Admin\AppData\Local\Temp\kos4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5740 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp"C:\Users\Admin\AppData\Local\Temp\is-1MD07.tmp\LzmwAqmV.tmp" /SL5="$F011A,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5856 -
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i6⤵PID:3764
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"6⤵PID:4788
-
-
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s6⤵
- Executes dropped EXE
PID:1616
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:4412
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2840
-
-
-
C:\Users\Admin\AppData\Local\Temp\2425.exeC:\Users\Admin\AppData\Local\Temp\2425.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4528
-
-
C:\Users\Admin\AppData\Local\Temp\261A.exeC:\Users\Admin\AppData\Local\Temp\261A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 7843⤵
- Program crash
PID:4376
-
-
-
C:\Users\Admin\AppData\Local\Temp\3657.exeC:\Users\Admin\AppData\Local\Temp\3657.exe2⤵PID:4084
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 5724⤵
- Program crash
PID:4796
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7640.exeC:\Users\Admin\AppData\Local\Temp\7640.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:5068
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Executes dropped EXE
PID:3764
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2648
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2900
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4636
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5672
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4460
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5748
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:1240
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:6088
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5888
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5188
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1784
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5204
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1644
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:5608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1092
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:5480
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1192
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5712
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1644
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4932
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5684
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:32
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4596
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5584
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1956
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:6056
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5732
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4828
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4636 -ip 46361⤵PID:740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a3c46f8,0x7ff95a3c4708,0x7ff95a3c47181⤵PID:5696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4472 -ip 44721⤵PID:5636
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4832 -ip 48321⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:1560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1944 -ip 19441⤵PID:2436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 856 -ip 8561⤵PID:6068
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:224
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4148
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD584df16093540d8d88a327b849dd35f8c
SHA1c6207d32a8e44863142213697984de5e238ce644
SHA256220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA5123077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098
-
Filesize
152B
MD5df4fb359f7b2fa8af30bf98045c57c44
SHA16d507359e1fd5be8f7c01fd4b291f81cf9561378
SHA2565ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc
SHA51292195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD51b9246bf96b8aad2883e1f0f7a8d0f8c
SHA1d986e520b58bc6f61e02482c21aba284e24f8787
SHA2563a7789aa16374e5de01bd719d865f271b6a7b70ad79001edf92727290de1d1f9
SHA5124e56943813cf2035aeef7fa570e8aba5cc97aa7b49944fcefa6c2154da0f99607089e454b3ceee05d56540b309a03ba4d90b1cab1a6b1c91d3465651bc5b54dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD543c2570d7a2d00a914fa7a14fbeecd8a
SHA1f6b3bb1b2c3753714a668c994709cfad80edac82
SHA25664d62df38c0ecfe4619e0f0323eab41220ff77de118ab322584c8d103054a43e
SHA512cdd16d677ee3f8ffe8db4f8c3c6b3f764ad5b39a9dd59c87e1cae967a9a3b359b0fa7e2c870bc6381e50f430d2d8dac0a7f62797303b5d2257d063a55e0a2840
-
Filesize
2KB
MD5e8ab4f84824f5c89b109fb89a0cb80d1
SHA18489def97eb6c203f418990c6b2587a043f975b5
SHA256b027a8e4832b919a92d909c4936021806c725231625d490ea792abb12578f701
SHA51289e32e74064fd3d528351cb3cd07b0370dc45287dec27c52fce1c7f83b7eaa355090de28bcd3642d2b5af0299668f4547a3c1836abb023e024b1153d0fb85806
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD53317731087c670b2e83bbf4469afe617
SHA126ed1b8e3a929ae793cc8813a3e5d851170104b8
SHA256f2b8a6e4382b3bca5bd5e4daa83786e8bdce54eb0f69e134bece01e1c08fb6de
SHA5122ec04a908dbf68814b55d859be930ec147e092eb911a3967a79af3d822e47a84ad2aedb8495c46497cfd6446debfcdd2bc3530394bec1549c21ff8eec6f225ca
-
Filesize
7KB
MD5b1d4c6a96a1bdbac147994aa425b8754
SHA10f5b9aa11bb5819b9a746d6e91f0a35a116b6212
SHA256d6a1f052cfaef61bb9590699af490b1638e35ec5c4ee0c65de5d8894d80e0771
SHA5120c9d41bf13009600c25252efa7b105a63d56c21c534c5bd1125d70b9cdc3ff1c90282d9b412f62a7a79fb37f8488772ffcea297e485e002b82b0393175ab85f6
-
Filesize
6KB
MD55ed1db23490cce9be3985f007d388ff7
SHA191734c6f5373160e55cc7578245bcb4d1ff49559
SHA256704627bc26ee813bef8708956f7dd1f28e58b4d128ab43f34e52d24c7c40207d
SHA5126924308e714005078bddac134fe2930238e7c1486326064eba1ad96626d2d64bc4d24aab61337c9d8b5c0fcbbf476ddbe5938d5a5d6c4076ccbd17a37e2fcfb4
-
Filesize
7KB
MD5bde3e9322699a193ae7d164b32708c71
SHA1f98f80b1c1d635740a9b7320786d4900ea4875b0
SHA256037151c0f0648f1a5bfcfe71597f4c8d2b0027f0cb6b4ad03e8c6bd3f0406b78
SHA512de9e22ceeb492789f262594ad0cf8af070e53f73834b571ac09ea215ff7ff319ae4448bcf72bf261226a9fe1ed0abec1206813c82b63704d10aa734460628647
-
Filesize
24KB
MD5918ecd7940dcab6b9f4b8bdd4d3772b2
SHA17c0c6962a6cd37d91c2ebf3ad542b3876dc466e4
SHA2563123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175
SHA512c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5061c482-8324-424e-8a14-e7b0f4a8420d\index-dir\the-real-index
Filesize624B
MD5a50cc2800bb2e2edf5ab4c3d5ef7c331
SHA1c832e222e20a63b4a1c29c7929cee152e2add104
SHA256e6d9a0efff879453dde5273d9c67c4380bce48c5ce6e753d8b0655b7a9797342
SHA51222f3293d97a3cddb24710c88470afe32c9b2faa820bb5745142aacf0438c1cd481e73ed6035d8db2728aef65f021e97e67f0cdf2f00630fd654367fbe2333a1a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\5061c482-8324-424e-8a14-e7b0f4a8420d\index-dir\the-real-index~RFe5876a2.TMP
Filesize48B
MD5e4abfb97e9ef29e027a58ae9b9f5d624
SHA1f91d759b0076d5d6ed1f0bff38f0f32e60038f2a
SHA2566ebdbb8ad263304b01087138e8178d194421a5f53a2e3b92e7784f97d4e804ac
SHA5126c6997e46a106a6aded372723fa906e89be33d2a26be37c2ad2a4fa50044779e3d5ab1a87ed73984dda432e2a29872bb9b452df7d94c1746548cb4fbdb21b343
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5f46787797bc3005eb90ca58e39f08c91
SHA18a413b882d700e6e2194d412400e262140eaff9c
SHA256e925e2710841c40d3ec018eae67856af845355e66fdebdcb362a4ddabcef5af1
SHA51233f7146f8d59b4e8dec8be9b0d0ca377f9b6f88681ca755ea2d6e22aa62dcbf162678f6ba73509a670c398c8a5aeb06ca32764573bd8a9b5f8a16b1d48b9eac8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize155B
MD55de3907f20d322363cd78a1ee7a53a6f
SHA12b395f245420b552e0a80f9b0059cd9fd5162c9f
SHA25644adf4d8f19e8b642e7a365c436eb5ec8ecb344786241a96fcf37b9728066192
SHA5126aacf7e5a3dd1b60cc3af6f4783c7a64d7d91e65df2a460d1f610646f60c564b797252e9aee6a221ebe4b076e13ab3ad591beeb3dab90ec437d5651e1f91f618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5f39998eecfe3ef47ac5ff4df2f1742eb
SHA144ca6bf7ca78cf96a38710e2b33431316320950d
SHA2568200d139a44ed7a89651c83e0a25c99911ea9363e6d206e94ebe500cf826c8eb
SHA512b6f10515c7f44c743a64a4c3a54b1ec9ec12dd8c6013091863bc1f50f0cab65c48d4b74143a2a3fe74bd2d8183644fcc9b750395e15f62cfa6e7042485c20001
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD5f6f0b45177069cacdddcce16e71bd898
SHA11edb9a902ab4b58f48fa8de317ba620371ac1737
SHA256c9b7e695cee9a5582fa15b098dede8d438160ea577a01b0cfcd35c10b1ce02f2
SHA51238f5f55bc36e3d4b7e25fcf8f00efb6dc6608c0431f64a5aef75c12f1c1c44ed022f824151fbf1663bdcf2451398ecd3b7e0e6df11845422852ddb957e5b8ff5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize151B
MD516f13610e52f60f607cd67f12add3345
SHA10040325fa3ff892bfff8636745bf5cf721e36008
SHA2560445123cbe4ec0132e08210a86bd6994dc8f55e5e4cd915734af36cfb148ddd3
SHA5126d6c00918d292c5b29311596291fa0e489534950de58c8df1cb4671b8bb58f5ffce9e66e6856306bcb6e53ae71d51e51f459b3e007b4059f84f67ecd7d58cb41
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5705aa57223a9c0c26b207f97fc454a38
SHA1e9c3f1c77c3b5b403f533d73a745adf66eb9a73c
SHA2560a7ef1bce447895f6c5bea5947a758409f277e0424f6207750a3a178cc7ec11b
SHA51218346567cf273f8b9e7d2fe36d5adee823b3acc304231bf55fbb3efc194a35e2a2e4caa18f34078cc220cffd8b15325738a8c7b2291c6a18a33e80f74490e6a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583da0.TMP
Filesize48B
MD5b107a65348ad7531d9ee6dc66c3da44c
SHA1e8a537ee835d8ca9cfc31b850d99d24dbc971249
SHA256f1eb00d607f0d22294110e24ae76f14b4902a508ee3d5745425e9e5d048db431
SHA512537a786e56704e5343d56006cd787f682e7d3ef908aa7ef34e6b7464572f5f17a57792a266e60ee845a5482f7a14a7fd5d3f175b8c510eaa1ed20e5b1b48df03
-
Filesize
1KB
MD52ce076c5c9bba990fa7d8bd6fbf1516c
SHA1143b0a0a25ad7120dd2fcf247dd803b5d9391d4e
SHA256960e643eb0607cde063122f197b09050bb43a5ed67bb9ef5a20192a0f7607c3a
SHA512071616a44b2bbab8e46e3bf0982068b9d003cf08518a4cc15d41eb1bf19595d3f4e81bec0f1ac9bff8945d3d5d9a0c4a86b5739d3300c281cc0da0498a4b1e34
-
Filesize
1KB
MD586791bfff4dc8b90edb85d36a48c6c68
SHA135cce200da1412e366144ec7c9e53afd85167908
SHA25698f1665315b0775d0ff3360a0dc8a85e91f16427ddcd8a925ea60fe563801eb0
SHA5124a804fb5622a2d588307d5ad91677dd86e72020c3b28f9e8a388cd2caa0d0e418d20b4bc68c78162e99d956a342828c2a14b6829fc4b517bcd3b723836dadb64
-
Filesize
1KB
MD5b2557d0611f03dbe388e2f0a10e73a0a
SHA1ae3728e8ef1198df1408e442428910d9f860ba21
SHA25637e24992d2a92433f11c72309aa5a3e582f03e9b250c1ce59c4878087c0f418b
SHA5128b758d81870e5420e015aad91de3496b0a4887b1843917acd7a5e710f31e3fb0ad954ce8ba1a94db82bb79579a50e330e0a12c94afb07aac835c2fce6ad68552
-
Filesize
1KB
MD5bd7167d367d4bdcae4708bf3dc12dcd7
SHA1e59963cac6c80a47f7ef463eb47673587b7d0a87
SHA25670b7903614fce4b12cb64a05f09badb94e4cea2263f293e0d7b2bac87be3dfa3
SHA512da6c51bd0c51309efa671d1d7cca3557263bf6fa700726ed8556ac4cfb870e01d6487b3a3d9e1f912bdcd62764e289134fa7da4ddb716f0a007e648667d35f9d
-
Filesize
1KB
MD59fd8a53c29bd9d7f5b787242831f6698
SHA1e5a1c7ca0a48faced7d831954c9819261954e727
SHA2564433f01c469ff8c57c0ee8161c4a6fc931a079f8152d90f8b0363d1ea368766f
SHA512f79bcf329244907dd86115efefb5f7b9fda326384872e14c1551ea1344c414bd06718085c39ba73f6b70f3e5162d3ee5357aebb6daa04cdea914ca24d97c7504
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fd910be9f39171fa03f468d87cbfa545
SHA18330d85f81aa5d30ab46111dbc5537ce67af6282
SHA256f73a8f8d7ea8337fb5bc5d5bf3b2562e1ff9930a1f30920f73ba46e40d9aa605
SHA5124aafd791133361bf86521cea97dbec9779245929474ffc3e1923e21c8808170b53bf6a04947c9d651538139069f6233e3450dc20c2bfe1d2480de332728045f8
-
Filesize
2KB
MD537a8962def9fe0fea069df8aadd37a83
SHA11e61110f54b408e70b4b4adf40faeff3bc02e3ee
SHA25642778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2
SHA5129065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f
-
Filesize
10KB
MD51f8ceb92affda17a56c2e81cf200adb3
SHA153efc6c8a59dac27d2e2fdde77d89700123b4e77
SHA256a8d0c902e42dfc2808b99ab91336b59d24795408d88b146edb245d69ce9ee260
SHA512433a3273f6418bfb8d4208783237afb7576d468c5d7642361195d24938e7a42ac5c89fb8018c4baba3402db456fd52042a82292cb9d997d4edcfe257f73e43fb
-
Filesize
2KB
MD52ec838a762fd238aa250b9af1575e8c0
SHA1eba70e984523a9dce2b1f1a59ed15160b15d0762
SHA2560c09af6bc7aeb44c2aec44b295c724064324acdee66db9471688952f75f6ea39
SHA512ba965de34f2a0a6b055acf4b0f07f6fdf95f41e28d1e23bdb07cf2d0f8590f491fa4007a480af91d64c8a4d57a50d7884bb1b291bf341bb96e85053d6a75b5f6
-
Filesize
2KB
MD537a8962def9fe0fea069df8aadd37a83
SHA11e61110f54b408e70b4b4adf40faeff3bc02e3ee
SHA25642778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2
SHA5129065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f
-
Filesize
2KB
MD537a8962def9fe0fea069df8aadd37a83
SHA11e61110f54b408e70b4b4adf40faeff3bc02e3ee
SHA25642778867701cb2f86b0bfaea2e409127f250b7c7aa77762608f6463cf264eab2
SHA5129065353727d294b3b4904651ea0f5190b2b248b95173ce4ef1e2c4133ff63022b354acfa338cc69499862f081c90ce56600eacfd02f4c903f0f1077a334d417f
-
Filesize
2KB
MD52ec838a762fd238aa250b9af1575e8c0
SHA1eba70e984523a9dce2b1f1a59ed15160b15d0762
SHA2560c09af6bc7aeb44c2aec44b295c724064324acdee66db9471688952f75f6ea39
SHA512ba965de34f2a0a6b055acf4b0f07f6fdf95f41e28d1e23bdb07cf2d0f8590f491fa4007a480af91d64c8a4d57a50d7884bb1b291bf341bb96e85053d6a75b5f6
-
Filesize
4.1MB
MD55283cdd674c839582d319aabafaad58e
SHA104f113b8d35ed25942fcf11e830c3161004f5c18
SHA25646e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
1.5MB
MD556dbeb16231126799330a7757399e5ae
SHA1ff3b170a83a8b745423292ac62dc77d8a0a10efe
SHA256cca5f0490726143a1f62dcc3fd724624fe6f819e1e6d2c106849f34a24618895
SHA512045b4b8b4abee9a63d37e06859a955357b3ea320bf381f57927652ccae9ce8f49501c5a117e855173c2f1443ac52e52fc5427855a255207bdfd685559215344c
-
Filesize
1.5MB
MD556dbeb16231126799330a7757399e5ae
SHA1ff3b170a83a8b745423292ac62dc77d8a0a10efe
SHA256cca5f0490726143a1f62dcc3fd724624fe6f819e1e6d2c106849f34a24618895
SHA512045b4b8b4abee9a63d37e06859a955357b3ea320bf381f57927652ccae9ce8f49501c5a117e855173c2f1443ac52e52fc5427855a255207bdfd685559215344c
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
89KB
MD52e3a7c525a4cf510bd09c42f07329da8
SHA13e320521f5fb099962135f7453126060d4d0cd15
SHA2564ec51aacea2af6a561e0b21a56225daf95edad0b6f30ca2b4a31a794aa643899
SHA512a56448647d44759abc651b908bbeb6382079051fb9a10f3e8166e4ad444b5190962a9a1c98a4c67b4e7bca61909588f1140fb69eb4d9a290d412262bba43ad72
-
Filesize
89KB
MD51060131e19463461f5d0fa5510305d97
SHA1402ebd1d55fdb69487a7e8858356d816c6388269
SHA2569c468e2fc6aad99bc4a048eacc1438e12531cbe7513bee26a7f2dee16bd54c71
SHA51256425ed53bcb96075e53df380159375048bdddaee27070491ae33660b7b2bb9df05838e574d57632ab0d427349c23f510b3187b90409170dea6c4e2b6023583d
-
Filesize
89KB
MD51060131e19463461f5d0fa5510305d97
SHA1402ebd1d55fdb69487a7e8858356d816c6388269
SHA2569c468e2fc6aad99bc4a048eacc1438e12531cbe7513bee26a7f2dee16bd54c71
SHA51256425ed53bcb96075e53df380159375048bdddaee27070491ae33660b7b2bb9df05838e574d57632ab0d427349c23f510b3187b90409170dea6c4e2b6023583d
-
Filesize
1.3MB
MD5031671d2815cbd715c8293ebd9bb74a6
SHA1f3a488677f6935c508e4901842e30e26d7bee83f
SHA256155d04d948f6c7c4f284b8feedb71fbbfce702d8932022563dfd262d947160ca
SHA512f9c7e1064e0476f81753142c9fa784459d2852136a3cbb2a69b1cff0759341e9391c4310cd1cdb38c8de235304a0946d42027f36a58050354e03933fa395afa2
-
Filesize
1.3MB
MD5031671d2815cbd715c8293ebd9bb74a6
SHA1f3a488677f6935c508e4901842e30e26d7bee83f
SHA256155d04d948f6c7c4f284b8feedb71fbbfce702d8932022563dfd262d947160ca
SHA512f9c7e1064e0476f81753142c9fa784459d2852136a3cbb2a69b1cff0759341e9391c4310cd1cdb38c8de235304a0946d42027f36a58050354e03933fa395afa2
-
Filesize
1.4MB
MD58f88b9ad216e9af2b73c6d365387cc0f
SHA187b6087b2088ae50bf33eb523ab5d9354d42a0b5
SHA256bdd553da63441ada50b1831351a56dcf2ac9d9de2201503227986b70339b1b1f
SHA512ab51cd6be3c7911962f4a653abe0ce2492a3206e991cc11a535d6f488f0330c8aeb0d7f0b0a32960b71c218675caa305a2ff7fa5add69ba9082b2a755c004ff4
-
Filesize
1.4MB
MD58f88b9ad216e9af2b73c6d365387cc0f
SHA187b6087b2088ae50bf33eb523ab5d9354d42a0b5
SHA256bdd553da63441ada50b1831351a56dcf2ac9d9de2201503227986b70339b1b1f
SHA512ab51cd6be3c7911962f4a653abe0ce2492a3206e991cc11a535d6f488f0330c8aeb0d7f0b0a32960b71c218675caa305a2ff7fa5add69ba9082b2a755c004ff4
-
Filesize
182KB
MD515d86de7c60a3f2e1cc1d379ad9c16f9
SHA18c6190a1e0e4066a98d9e6050860a4fc7706b3df
SHA256146c605d2c77703ae8f836b933e8faf5dc2125b19106438281ea3398d674a6a3
SHA512f71c301ec85c102e2a1841e76e1dc3d4af1265b948ae683084bd78512e4503ccad9ead27ad58c8275912ee05549ee045d7a83d58776fbede0e505237c74cd695
-
Filesize
182KB
MD515d86de7c60a3f2e1cc1d379ad9c16f9
SHA18c6190a1e0e4066a98d9e6050860a4fc7706b3df
SHA256146c605d2c77703ae8f836b933e8faf5dc2125b19106438281ea3398d674a6a3
SHA512f71c301ec85c102e2a1841e76e1dc3d4af1265b948ae683084bd78512e4503ccad9ead27ad58c8275912ee05549ee045d7a83d58776fbede0e505237c74cd695
-
Filesize
1.2MB
MD5aa30e8f201fca906330ac95b16db9d1d
SHA17d3bd317ac3ad8aa49911f6eb56885156b6d187b
SHA2566044344b537f8cebfd1b72ec49347da51216bcc79b036a22268a3255dbf43551
SHA512b5cd407388cbfd943e2ff551374eb46cf184715f437f2a921a35dee90b58363b3d235addf1acd06df9caf0bb6d51a9146a6485d288d33ec18faf68078ce0a073
-
Filesize
1.2MB
MD5aa30e8f201fca906330ac95b16db9d1d
SHA17d3bd317ac3ad8aa49911f6eb56885156b6d187b
SHA2566044344b537f8cebfd1b72ec49347da51216bcc79b036a22268a3255dbf43551
SHA512b5cd407388cbfd943e2ff551374eb46cf184715f437f2a921a35dee90b58363b3d235addf1acd06df9caf0bb6d51a9146a6485d288d33ec18faf68078ce0a073
-
Filesize
1.2MB
MD5ca9ffac4fdcc2d4974863f7b8229a98d
SHA133dda52cc4aefa81240d4f1d1f13fcfb1a36dd9c
SHA25603c43aeff4fcaa849f37634389302adce754532ba9bb8c900183f532c553c3d5
SHA51295a1b8e7850dc56dc036cf9e2340d1962fd4b05d4dbba67ef69da3608188c742f8f8e4c577a4bdaf9511d741f80623eba92aec8de0241925f16ef7be7b7bafe3
-
Filesize
1.2MB
MD5ca9ffac4fdcc2d4974863f7b8229a98d
SHA133dda52cc4aefa81240d4f1d1f13fcfb1a36dd9c
SHA25603c43aeff4fcaa849f37634389302adce754532ba9bb8c900183f532c553c3d5
SHA51295a1b8e7850dc56dc036cf9e2340d1962fd4b05d4dbba67ef69da3608188c742f8f8e4c577a4bdaf9511d741f80623eba92aec8de0241925f16ef7be7b7bafe3
-
Filesize
1.1MB
MD5239e209a7b65b3292cf7f20ed90834e2
SHA1f27d63c298e61865e2b67a836b04f3d9aaf22b91
SHA25678f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242
SHA5125c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e
-
Filesize
219KB
MD5f9d733b19d1fa3c7d045fead6ed51af4
SHA13bc069c3b07d54ff4306d889e64f43462e5715ac
SHA25691580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2
SHA5129f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac
-
Filesize
219KB
MD5f9d733b19d1fa3c7d045fead6ed51af4
SHA13bc069c3b07d54ff4306d889e64f43462e5715ac
SHA25691580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2
SHA5129f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac
-
Filesize
1.0MB
MD530fc469dd45d40ca0d29d259fa0c0159
SHA1dbffc5c94d1da65354ec4d654bf667d827599e34
SHA2569f79268a626156a3f2694256c6119826d3a458464f24ec96ea80e3e65bc8f66c
SHA5123439a0e75bb6836078975d9cbf8183e118387b85812f2bb21d99c9907fe3d99da67c9a13e730f8f81402c3db8a411ae2845e1d8cbbe7907c096c560f7757a4ea
-
Filesize
1.0MB
MD530fc469dd45d40ca0d29d259fa0c0159
SHA1dbffc5c94d1da65354ec4d654bf667d827599e34
SHA2569f79268a626156a3f2694256c6119826d3a458464f24ec96ea80e3e65bc8f66c
SHA5123439a0e75bb6836078975d9cbf8183e118387b85812f2bb21d99c9907fe3d99da67c9a13e730f8f81402c3db8a411ae2845e1d8cbbe7907c096c560f7757a4ea
-
Filesize
1.1MB
MD5239e209a7b65b3292cf7f20ed90834e2
SHA1f27d63c298e61865e2b67a836b04f3d9aaf22b91
SHA25678f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242
SHA5125c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e
-
Filesize
1.1MB
MD5239e209a7b65b3292cf7f20ed90834e2
SHA1f27d63c298e61865e2b67a836b04f3d9aaf22b91
SHA25678f862fd340d055e4dbce6de271a6eedf6deddec1f3a050fc4c4f012478a7242
SHA5125c1e59ffbcba5651dc04a965b41c803267b34fe6363c5706e1917dfe64d7588e7baff652ce4f7eb2673cd1f472802943572f1d85165cb52aa2e3d7e1b2c15b3e
-
Filesize
656KB
MD596c220267dc0b78b3a61fd8acdbf3fca
SHA12eceae7e1d285b3ba8e4e081909ff46a02a8c65f
SHA256b509c1818229047820ba0fc63cc3e50f44c1b9faf28b2b738e5623b29ef20976
SHA5122985be5262e9a6c9442ad679796de3aeffd93984307e8e21cf0f2d53033e15152fadaf4f7c881d1554d6e82bedef1ed6f94c6cb79eea8d7c3f94103e1da9eadd
-
Filesize
656KB
MD596c220267dc0b78b3a61fd8acdbf3fca
SHA12eceae7e1d285b3ba8e4e081909ff46a02a8c65f
SHA256b509c1818229047820ba0fc63cc3e50f44c1b9faf28b2b738e5623b29ef20976
SHA5122985be5262e9a6c9442ad679796de3aeffd93984307e8e21cf0f2d53033e15152fadaf4f7c881d1554d6e82bedef1ed6f94c6cb79eea8d7c3f94103e1da9eadd
-
Filesize
30KB
MD5c3bc6af2c19047d11d4663f56c02f211
SHA1a500298076456ef934b7e955e6eb4cb46ec608fd
SHA25625219b7ae08616d3e92aba258d04b427a586c71aea3017484aa95da5ab99307a
SHA512afe75d4745d3ead8243c85d6893b6713e3b42ec1472e3457a87072612a723e202e6cf62ab11ff9785f8e9e22c889716d97256be0ff7a8590377ab810d3158c3a
-
Filesize
30KB
MD5c3bc6af2c19047d11d4663f56c02f211
SHA1a500298076456ef934b7e955e6eb4cb46ec608fd
SHA25625219b7ae08616d3e92aba258d04b427a586c71aea3017484aa95da5ab99307a
SHA512afe75d4745d3ead8243c85d6893b6713e3b42ec1472e3457a87072612a723e202e6cf62ab11ff9785f8e9e22c889716d97256be0ff7a8590377ab810d3158c3a
-
Filesize
532KB
MD51bd7033b7674a52b678ae4d427b8eb03
SHA1456c5e0b2275ad5068af7b63939dff5088667b5c
SHA256089af742b58f5b944f52112a9739839fd4363226847d6bf36cb0e0b35186ca85
SHA5124ad1c2c91d757e6c1b09dae6cd981c4a303aa1db5e11bf6a28b5d76e2e837e7f6f9029048f390b09a0cb46400ea01717bf4f52cf138722b3b6a70680b88c4589
-
Filesize
532KB
MD51bd7033b7674a52b678ae4d427b8eb03
SHA1456c5e0b2275ad5068af7b63939dff5088667b5c
SHA256089af742b58f5b944f52112a9739839fd4363226847d6bf36cb0e0b35186ca85
SHA5124ad1c2c91d757e6c1b09dae6cd981c4a303aa1db5e11bf6a28b5d76e2e837e7f6f9029048f390b09a0cb46400ea01717bf4f52cf138722b3b6a70680b88c4589
-
Filesize
891KB
MD5b51ed5854d8ad33ea7e298b8fdb51a0d
SHA16c04f760a2d34f702b550324317a8b7d3aad2e0d
SHA2563de6f5ff268ffafd264e08db5e9cde208b6ea1789be6a3d912db365d59728e3c
SHA51265da21e8b16d88445bdb457fb5ba6bef9dbd2f8e196e59eb1555b861359e734d11bb066a32ea36f8f79fc4441e598d1fbf128224b5aeab18178c93fcad347b72
-
Filesize
891KB
MD5b51ed5854d8ad33ea7e298b8fdb51a0d
SHA16c04f760a2d34f702b550324317a8b7d3aad2e0d
SHA2563de6f5ff268ffafd264e08db5e9cde208b6ea1789be6a3d912db365d59728e3c
SHA51265da21e8b16d88445bdb457fb5ba6bef9dbd2f8e196e59eb1555b861359e734d11bb066a32ea36f8f79fc4441e598d1fbf128224b5aeab18178c93fcad347b72
-
Filesize
1.1MB
MD5edc6f7c21187ee0d35814961af64772a
SHA1b252ef94fd2627d409d51fac9c0348297eade277
SHA256e79f4d993e90765e775ac638bc8b7648bf50f9d5bc5c2edd783065557ef66063
SHA5127dadd26f5d6f9ae0f38ebc719ce1b7168587d135d68bbee7b2788010928db6170b59697d2ec1aa70c926d6f9757eecc9eadedd6eb6b5719f972fb9586529d88c
-
Filesize
1.1MB
MD5edc6f7c21187ee0d35814961af64772a
SHA1b252ef94fd2627d409d51fac9c0348297eade277
SHA256e79f4d993e90765e775ac638bc8b7648bf50f9d5bc5c2edd783065557ef66063
SHA5127dadd26f5d6f9ae0f38ebc719ce1b7168587d135d68bbee7b2788010928db6170b59697d2ec1aa70c926d6f9757eecc9eadedd6eb6b5719f972fb9586529d88c
-
Filesize
6.5MB
MD5b81b2eb3482efa33317c20415beaf6a4
SHA134711c1bad47eb6b94c242473de396eb9362543e
SHA25661bf7b52d24d540150690db32dd12dbc9a11f8b7ac4bacfd1516df25c2b583dc
SHA512e4f6e69851a7ce778c7e1f8f4904654e887ef505dfe1fe9bc26834f96b787f4573b9bf9d827328690ec274ca102a8a0ce6b098cd49d51214f43760ff7227464b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD5f9d733b19d1fa3c7d045fead6ed51af4
SHA13bc069c3b07d54ff4306d889e64f43462e5715ac
SHA25691580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2
SHA5129f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac
-
Filesize
219KB
MD5f9d733b19d1fa3c7d045fead6ed51af4
SHA13bc069c3b07d54ff4306d889e64f43462e5715ac
SHA25691580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2
SHA5129f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac
-
Filesize
219KB
MD5f9d733b19d1fa3c7d045fead6ed51af4
SHA13bc069c3b07d54ff4306d889e64f43462e5715ac
SHA25691580ab78c30ef8a104edd31b3810967b9dcd0af7ea1e7d7e122fe16b14f57b2
SHA5129f201e4b76ebb3902af7098ede7bce371118264517062611f99ecfb6a204b0a8a83a487ef421be02e404964d039e1736496c6d6af0a3975f77dd41d3085ba7ac
-
Filesize
8KB
MD501707599b37b1216e43e84ae1f0d8c03
SHA1521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA5129f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
180KB
MD54d1f0d9bfac03f5237d800cd61ed1133
SHA1a8d2884e093ac24d23d48c804f617a0115fe697c
SHA2562b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9