Analysis
-
max time kernel
96s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2023, 09:08
Static task
static1
Behavioral task
behavioral1
Sample
5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe
Resource
win10v2004-20231023-en
General
-
Target
5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe
-
Size
1.6MB
-
MD5
9f120294fd4d2ba37e8ab4a4b42b4ccf
-
SHA1
24a86850ad48705f9be56cb0e532602a15fa523a
-
SHA256
5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0
-
SHA512
034e06734080d20f790ad90b5d338505d89e4a35b84eb64675af58ae852399f48aacb1c2f6a341d738726f46d8d5bd41d05b8aa35c282c1be1ef4b839393a658
-
SSDEEP
49152:hOkW2OJw2vE1FqOkOQW8uFz7QCHGliWeIxe68emTExds:QRFE1FTaeQCHnFqSTo
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe 1616 schtasks.exe 1632 schtasks.exe 3656 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/4240-600-0x0000000000340000-0x0000000000720000-memory.dmp family_zgrat_v1 -
Glupteba payload 3 IoCs
resource yara_rule behavioral1/memory/6108-668-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/6108-774-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/6108-821-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4AF3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4AF3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4AF3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4AF3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4AF3.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
Raccoon Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/1508-741-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/1508-745-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/1508-749-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
resource yara_rule behavioral1/memory/1360-99-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral1/files/0x0007000000022d30-328.dat family_redline behavioral1/files/0x0007000000022d30-329.dat family_redline behavioral1/memory/5836-359-0x0000000000550000-0x00000000005AA000-memory.dmp family_redline behavioral1/memory/5836-413-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/5020-439-0x0000000000010000-0x000000000004E000-memory.dmp family_redline behavioral1/memory/2516-533-0x0000000000710000-0x000000000076A000-memory.dmp family_redline behavioral1/memory/2516-558-0x0000000000400000-0x000000000047E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
description pid Process procid_target PID 5648 created 3320 5648 latestX.exe 59 PID 5648 created 3320 5648 latestX.exe 59 PID 5648 created 3320 5648 latestX.exe 59 PID 5648 created 3320 5648 latestX.exe 59 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 1124 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation 5Ie7PL4.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation kos4.exe -
Executes dropped EXE 42 IoCs
pid Process 2932 mK1XA25.exe 4060 ma9cL62.exe 3056 jy3uO78.exe 3668 uV6dJ08.exe 432 eO1iD34.exe 2620 1oE77FI0.exe 3452 2ov9153.exe 4800 3KQ75Fv.exe 3564 4OS609Ye.exe 1236 5Ie7PL4.exe 1544 explothe.exe 4276 6DA5dP6.exe 2740 7IN1gt02.exe 3988 explothe.exe 6044 4532.exe 6076 msedge.exe 5220 vS3cv7Ny.exe 3264 md5uC1Kk.exe 5364 ig9ND9Br.exe 5288 493C.exe 5668 hW6pu6vt.exe 5752 4AF3.exe 5820 1Ea32tu8.exe 1616 4D84.exe 5836 4F3A.exe 5020 2nO120ja.exe 4224 Conhost.exe 5768 8725.exe 2516 88AC.exe 3248 toolspub2.exe 6108 31839b57a4f11171d6abc8bbc4451ee4.exe 5416 kos4.exe 5648 latestX.exe 5140 LzmwAqmV.exe 6084 LzmwAqmV.tmp 4240 A4F0.exe 5900 toolspub2.exe 1316 zDriveTools.exe 1620 zDriveTools.exe 4292 31839b57a4f11171d6abc8bbc4451ee4.exe 3348 1157.exe 5988 powershell.exe -
Loads dropped DLL 9 IoCs
pid Process 5836 4F3A.exe 5836 4F3A.exe 2516 88AC.exe 2516 88AC.exe 6084 LzmwAqmV.tmp 6084 LzmwAqmV.tmp 6084 LzmwAqmV.tmp 4240 A4F0.exe 5960 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4AF3.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" mK1XA25.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" jy3uO78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vS3cv7Ny.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ig9ND9Br.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" hW6pu6vt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ma9cL62.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" uV6dJ08.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" eO1iD34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4532.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" md5uC1Kk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8725.exe'\"" 8725.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 2620 set thread context of 4812 2620 1oE77FI0.exe 96 PID 3452 set thread context of 1844 3452 2ov9153.exe 98 PID 3564 set thread context of 1360 3564 4OS609Ye.exe 104 PID 5820 set thread context of 3656 5820 1Ea32tu8.exe 179 PID 3248 set thread context of 5900 3248 toolspub2.exe 200 PID 4240 set thread context of 1508 4240 A4F0.exe 207 -
Drops file in Program Files directory 24 IoCs
description ioc Process File created C:\Program Files (x86)\Drive Tools\is-KHOCV.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-QFFOU.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-987R3.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-E4G1J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-2P3C7.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-2O18J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-A7GGR.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-VV009.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\Lang\is-UTO9D.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-CLEF9.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-J2OSP.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-0N1MV.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-4T2MS.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-AMF2J.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-DITDB.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-E3QTU.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-MMSQH.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-GDBKB.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-C43AH.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-KTTVU.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-RO3IL.tmp LzmwAqmV.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune 4F3A.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4420 sc.exe 4560 sc.exe 2148 sc.exe 3700 sc.exe 1816 sc.exe 3100 sc.exe 2828 sc.exe 6012 sc.exe 4444 sc.exe 1224 sc.exe 1948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 1068 1844 WerFault.exe 98 4840 5836 WerFault.exe 161 5896 3656 WerFault.exe 179 5284 2516 WerFault.exe 187 4340 1508 WerFault.exe 207 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3KQ75Fv.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3KQ75Fv.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3KQ75Fv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1616 schtasks.exe 1632 schtasks.exe 3656 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4812 AppLaunch.exe 4812 AppLaunch.exe 4800 3KQ75Fv.exe 4800 3KQ75Fv.exe 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE 3320 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4800 3KQ75Fv.exe 5900 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4812 AppLaunch.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeDebugPrivilege 5752 4AF3.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeDebugPrivilege 5416 kos4.exe Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE Token: SeCreatePagefilePrivilege 3320 Explorer.EXE Token: SeShutdownPrivilege 3320 Explorer.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 6084 LzmwAqmV.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe 3468 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4988 wrote to memory of 2932 4988 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe 90 PID 4988 wrote to memory of 2932 4988 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe 90 PID 4988 wrote to memory of 2932 4988 5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe 90 PID 2932 wrote to memory of 4060 2932 mK1XA25.exe 91 PID 2932 wrote to memory of 4060 2932 mK1XA25.exe 91 PID 2932 wrote to memory of 4060 2932 mK1XA25.exe 91 PID 4060 wrote to memory of 3056 4060 ma9cL62.exe 92 PID 4060 wrote to memory of 3056 4060 ma9cL62.exe 92 PID 4060 wrote to memory of 3056 4060 ma9cL62.exe 92 PID 3056 wrote to memory of 3668 3056 jy3uO78.exe 93 PID 3056 wrote to memory of 3668 3056 jy3uO78.exe 93 PID 3056 wrote to memory of 3668 3056 jy3uO78.exe 93 PID 3668 wrote to memory of 432 3668 uV6dJ08.exe 94 PID 3668 wrote to memory of 432 3668 uV6dJ08.exe 94 PID 3668 wrote to memory of 432 3668 uV6dJ08.exe 94 PID 432 wrote to memory of 2620 432 eO1iD34.exe 95 PID 432 wrote to memory of 2620 432 eO1iD34.exe 95 PID 432 wrote to memory of 2620 432 eO1iD34.exe 95 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 2620 wrote to memory of 4812 2620 1oE77FI0.exe 96 PID 432 wrote to memory of 3452 432 eO1iD34.exe 97 PID 432 wrote to memory of 3452 432 eO1iD34.exe 97 PID 432 wrote to memory of 3452 432 eO1iD34.exe 97 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3452 wrote to memory of 1844 3452 2ov9153.exe 98 PID 3668 wrote to memory of 4800 3668 uV6dJ08.exe 99 PID 3668 wrote to memory of 4800 3668 uV6dJ08.exe 99 PID 3668 wrote to memory of 4800 3668 uV6dJ08.exe 99 PID 3056 wrote to memory of 3564 3056 jy3uO78.exe 102 PID 3056 wrote to memory of 3564 3056 jy3uO78.exe 102 PID 3056 wrote to memory of 3564 3056 jy3uO78.exe 102 PID 3564 wrote to memory of 2832 3564 4OS609Ye.exe 103 PID 3564 wrote to memory of 2832 3564 4OS609Ye.exe 103 PID 3564 wrote to memory of 2832 3564 4OS609Ye.exe 103 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 3564 wrote to memory of 1360 3564 4OS609Ye.exe 104 PID 4060 wrote to memory of 1236 4060 ma9cL62.exe 105 PID 4060 wrote to memory of 1236 4060 ma9cL62.exe 105 PID 4060 wrote to memory of 1236 4060 ma9cL62.exe 105 PID 1236 wrote to memory of 1544 1236 5Ie7PL4.exe 108 PID 1236 wrote to memory of 1544 1236 5Ie7PL4.exe 108 PID 1236 wrote to memory of 1544 1236 5Ie7PL4.exe 108 PID 2932 wrote to memory of 4276 2932 mK1XA25.exe 109 PID 2932 wrote to memory of 4276 2932 mK1XA25.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320 -
C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe"C:\Users\Admin\AppData\Local\Temp\5714d0cd0fa6ab01767b9f5b56f6ebe8ce60149dd09205fc14b688b7d4b6a4b0.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mK1XA25.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ma9cL62.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jy3uO78.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uV6dJ08.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\eO1iD34.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1oE77FI0.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ov9153.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵PID:1844
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 19610⤵
- Program crash
PID:1068
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3KQ75Fv.exe7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4800
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4OS609Ye.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2832
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1360
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ie7PL4.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
PID:1616
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵PID:3844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2180
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"8⤵PID:4996
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E8⤵PID:4524
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4840
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:4760
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:4452
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:5960
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6DA5dP6.exe4⤵
- Executes dropped EXE
PID:4276
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe3⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1DA5.tmp\1DB5.tmp\1DB6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN1gt02.exe"4⤵PID:1320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x148,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47186⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:36⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:86⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:26⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:16⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:16⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:16⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:16⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:16⤵PID:5436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:16⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:16⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:16⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:16⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:16⤵
- Executes dropped EXE
PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:16⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:16⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:16⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:16⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:86⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7284 /prefetch:86⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,12119760436017153929,12975412688562994442,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8144 /prefetch:86⤵PID:6112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/5⤵PID:2104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47186⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:36⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16123523405751983624,8471195437817248918,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:26⤵PID:5028
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/5⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47186⤵PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:26⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11715136987403279359,8478760683434930365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:36⤵PID:2124
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4532.exeC:\Users\Admin\AppData\Local\Temp\4532.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6044 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vS3cv7Ny.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\md5uC1Kk.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3264 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ig9ND9Br.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5364 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\hW6pu6vt.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5668 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Ea32tu8.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5820 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:3656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 5409⤵
- Program crash
PID:5896
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2nO120ja.exe7⤵
- Executes dropped EXE
PID:5020
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\45FE.exeC:\Users\Admin\AppData\Local\Temp\45FE.exe2⤵PID:6076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47E3.bat" "2⤵PID:5312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵PID:5080
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47184⤵PID:5804
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47184⤵PID:5948
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵PID:3600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff912cc46f8,0x7ff912cc4708,0x7ff912cc47184⤵PID:5184
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\493C.exeC:\Users\Admin\AppData\Local\Temp\493C.exe2⤵
- Executes dropped EXE
PID:5288
-
-
C:\Users\Admin\AppData\Local\Temp\4AF3.exeC:\Users\Admin\AppData\Local\Temp\4AF3.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5752
-
-
C:\Users\Admin\AppData\Local\Temp\4D84.exeC:\Users\Admin\AppData\Local\Temp\4D84.exe2⤵
- Executes dropped EXE
PID:1616
-
-
C:\Users\Admin\AppData\Local\Temp\4F3A.exeC:\Users\Admin\AppData\Local\Temp\4F3A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:5836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5836 -s 7963⤵
- Program crash
PID:4840
-
-
-
C:\Users\Admin\AppData\Local\Temp\8520.exeC:\Users\Admin\AppData\Local\Temp\8520.exe2⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5900
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:6108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:2584
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Modifies data under HKEY_USERS
PID:5396
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
PID:4224
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:1124
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Executes dropped EXE
PID:5988
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵PID:5252
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵PID:1240
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5812
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1632
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:1052
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:5996
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵PID:1312
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:4444
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵PID:5248
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:3656
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵PID:6028
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:2516
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:4560
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos4.exe"C:\Users\Admin\AppData\Local\Temp\kos4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
PID:5140 -
C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp"C:\Users\Admin\AppData\Local\Temp\is-IOMIP.tmp\LzmwAqmV.tmp" /SL5="$F0090,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6084 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"6⤵PID:5896
-
-
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i6⤵
- Executes dropped EXE
PID:1316
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:5876
-
-
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s6⤵
- Executes dropped EXE
PID:1620
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
PID:5648
-
-
-
C:\Users\Admin\AppData\Local\Temp\8725.exeC:\Users\Admin\AppData\Local\Temp\8725.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5768
-
-
C:\Users\Admin\AppData\Local\Temp\88AC.exeC:\Users\Admin\AppData\Local\Temp\88AC.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 7843⤵
- Program crash
PID:5284
-
-
-
C:\Users\Admin\AppData\Local\Temp\A4F0.exeC:\Users\Admin\AppData\Local\Temp\A4F0.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4240 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 5724⤵
- Program crash
PID:4340
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4796
-
-
C:\Users\Admin\AppData\Local\Temp\1157.exeC:\Users\Admin\AppData\Local\Temp\1157.exe2⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:5936
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:5644
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:6012
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2148
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3700
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1816
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:60
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1444
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:212
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1796
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5672
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:4492
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:5260
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2668
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1224
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1948
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3100
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2828
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4420
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1316
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:1828
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:5852
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5616
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:5172
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:1376
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2416
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:4768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1844 -ip 18441⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:3988
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:992
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5284
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5836 -ip 58361⤵PID:3420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3656 -ip 36561⤵PID:5868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2516 -ip 25161⤵PID:5760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1508 -ip 15081⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵PID:5988
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:4712
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:3608
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD5e9a87c8dba0154bb9bef5be9c239bf17
SHA11c653df4130926b5a1dcab0b111066c006ac82ab
SHA2565071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5
SHA512bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49
-
Filesize
152B
MD5e9a87c8dba0154bb9bef5be9c239bf17
SHA11c653df4130926b5a1dcab0b111066c006ac82ab
SHA2565071c9de822e09f2182f66ab806551c02f87e20d160a4923ca1d9763194f2cb5
SHA512bb4f876fc8a88e480d2d82062b003d2769b75a6cb1a960173bd6b34925a27b1189402677d9124b6445ded6edc3a07ff0e314b71150684e96bc6614185c2e2f49
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5229012f14d951ccfefe7ca58a5085537
SHA16a65bab8ff7a187f0f20c90537a307d32211f5a2
SHA256fe0b1ec19bb1e5cea4911cc96f784939eb21460e8a4926ed9759ed114238c9ad
SHA51251a02e5b82304820af88eab9b3b4891bcf5bf559cd833ad3a5f87a71b9c43e9030a6b24654fe5269c84f6094ca9d8b22b6e7b8db189f1988bc32459b2a4bb4e9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD5d49696f0b63bb8d34e695b667c2efd68
SHA1c5a5bfba74f5b7329257075c5c0750e03b3db2ba
SHA2561cf5a22c5295a9494e85b5ce1d387b2a2b6aeb4da3bc79ada879f1aecaad644f
SHA5129ba6611b33b2eaf26b4b3f7b85a64034af2301102d219e5a0879e33154f24306c259d49fc41328c5fb36b78df5aa536e74b0ac2ba1a7ded2c69f751b05f1e07d
-
Filesize
7KB
MD5b76c361694f2709057c4118729dd6874
SHA1e65845c0639be1ee3a9829063866407f0507eaf8
SHA25634d60d303ac766ff31ce08e522c3d6f8b1d5fe0e5d4917b1a524b06a90f7f8ab
SHA512b42891d987baf945052b1766db9bd8d406c71541f264702f8f1d9103eb6c5b282e7af921d448441ff7eabf692526211e7309b1fd6dac0f3a5c91194f0582750f
-
Filesize
5KB
MD571317137404ee085e72fbf81365e6b27
SHA1b785d9c4895c3f7434005c98457797b291653ac7
SHA2560e6f479d1deb2e12dd1301e543b44f8d900cdb2832085a9a2b99ac924d773463
SHA51294401512327e63458d4a7b8cd28834f613d0198c659d2a4bad1857e4727ff0a6f62aedadb60b1d9eec3807042c81c108435fbe2c9236cbca2dc605e0582da1f3
-
Filesize
6KB
MD522abd056c5644fbba471fb012fade977
SHA16a226f4a66a912248d7a8a4b43afad7c944e7dd4
SHA2568ab508b5349e7ccc679b8ea80af86ecd2a936bdac423d413e8d6fd69150babb8
SHA5121232252a069948c214a7af1de97eaee85f9c391e76b2638de6a20d24a8fc4c0132cbe3f83464f0ad09720ab9c6ed8cea57b3cccc59d78572a6a908bd56577758
-
Filesize
7KB
MD58a336ddfe8c1d49cd38a347ad707c36b
SHA1c8a9255d432684e04d5b2179407a4a0950d32c26
SHA2563920e4ee446b70e4cad86c2d588ff3ba7145893b2cd2403210615c819044907e
SHA512d1c31e8d5a8c0d6b8891c021a6869cc5a593dc58f138bfba427a1ebcf8c52d70aac07b408afb208127383f0667cca49d82a56d6046775a92df7396397e31c7ff
-
Filesize
24KB
MD53a748249c8b0e04e77ad0d6723e564ff
SHA15c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA51253254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD51f779a63292035dd614c71ecb9cec0c7
SHA11e765e2be3d4b5969bfe6be7baa8cfa04d3d3374
SHA2561f2fdd98cc213b4851cac588a3a052d1b137d91a350f30216dc20f16ce280ade
SHA5122644b96c24f816843441beb584fd6cd09633e956989aff29d3226666ed184e60edbb2b72158ea733297d73834f9b42e406771a65549860db8a71a03ad83da90c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD58e60143b1ceb95b04e859bb0cc14175b
SHA131cc8dda786ef4593c2d27473bccaf2641b93e7b
SHA2568a8ee4da0b14f5473c42ad351faa08db94bd6728d7befb33adc44547b9fb4cc4
SHA512c0f0238faf64b8c79435bec4c4d260c98087cbc10637192eb93bb0d5457789fc4e0cc579cc95581dd9ca4800d4074daaac576e5b1b1011c8b6f1f38ed1c31fe4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5f9359eb6b0d42a99ac54dd9c065185ab
SHA12734818db16473f6d022ea4d5e3d28a9d9ba6054
SHA2566fbe7e888e00ec2c302822d28b2215ffd29d6fcbf904c4ff0dbdfdddbba5f081
SHA512ae3400365e999e53bcde6e525b6881bf7a24b16274382b846df167e3e74f7db8ffe7050166caaa42d6bc9f80873654bd8cce898655274e884d49fe435c15f980
-
Filesize
1KB
MD500dc05c447c6740fd73bc621115297dc
SHA19470771fc370a685748c564f84bdbf07b66ad7fc
SHA25691fadadd0724ce9b773c110ab1dc216a212e22f4f33b7aaec55029a8b54b7a51
SHA5122631c262405a04f433a018e9c11499d68e32ad4de696f59b3578a2c0974d3ac08f860e420dd21f55ee456f007fcc5ff533adb089a148de287d6b16a43b78d31c
-
Filesize
1KB
MD5f1f0dad27869f33c4d000037c0ca901e
SHA1a06495765d0b6ba246ccd58e5a6860afd230dc32
SHA256275884804c9336182bc36bdc7d2ccf9775925b5154c728518152f36649f9e17b
SHA512dc72600519105ecb7a65320e741e1a6a4cf49e1b6bc681f8763d77658512b362ea3410fd53dfee9a80b091a19d6ad8b5abdf5fa450f29281ffa8f851f18ce9e9
-
Filesize
1KB
MD58c359756c68ee738e048a20f0448108d
SHA1c1da824b903a2c22a7e1e5c1bfdbbfbddd59f765
SHA2564e9d40b60e35dc7a6ed8527e26ae49195f5866a162bfd6d9c0e48f69bf77c7d3
SHA51206735de224699e7db24f6a72e65171a6539a3ebc32b390120e9f85147a4e3e5ec757639bdaaeabbe8f5efb1422ca0d66b367977beca205fcc05ae32de813fa84
-
Filesize
1KB
MD5a695d51c499897c8fe97d4fb63ef2b5d
SHA1669a44936e6d3ebb34c856c686038db287415aed
SHA2563b54d651cf14ca9dca9ae8e5ce4ac9a828b457a2d6f2165eab11e786c0014401
SHA5125985ce9d5e4bf2229fc29a2854bfd9f521f1fc5ac5957ad108a37c12b54075ccea15783a8c95fa055b619f98b32b8af4d16291edb73fe94900068d0c3737be0e
-
Filesize
1KB
MD5e995d18897d6713452b8639bd30b46e5
SHA16b3651fc2abfb886559669548726370ea007d354
SHA256d70011f15fe5000c018986e0846eab0d20248f870e4247c1201ab9174ba31cd2
SHA5121cf6bdd89edc5aeb31635ee2b64ba87a80c189ba8055c9fc77d1e23d46966f56968fcf6565cf1e55021b50b85e8512bace6200e25e45d59482c022a9105c7a65
-
Filesize
1KB
MD53ee88b924d8e6322aff109dc6d81f343
SHA1f2c06daaa55d171c92bcfd777dbe2cca13512a3a
SHA2569e78daed4515b5edafa1e15eb10de64bf8acd6355ddd09ff50b9731ae026c7a2
SHA512bceb069c6a7ab29b68ba704079c57734cb66746ef00d114335e7e0c1f42144a3ef7443b5a29ee7987989d2e0bb0d6416afbfba23ab5f53f6e614d479ae9fc815
-
Filesize
1KB
MD55cc4538b07c8f34a247c6d48c2261b0e
SHA1f0b65d86d1ccda4b1f1cdbdf138048d4080c6b74
SHA2566d779d5a4e89eb054b3cfe1f3915820b6e74322e3b3162546c83d8b4ee223b57
SHA5129b5bced25890ecd69b2869881b07c864f72764ebd467889dab49868262fe45bcdb127c91490b8300772908499ba111b1df8d33f1b803b677410b623acb8001c6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD507c0799f041fd561622f5b4e5d4651e6
SHA193b1da78852b003864a9e6587e790284a4b69af6
SHA25658706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6
SHA512c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2
-
Filesize
10KB
MD53765fb3e9e7747734556a785c280bb6a
SHA1f96bb7f089d35ff65141b340b40eba0ea1f0e57f
SHA256694160fe8781796e8a445e5320e81088f46a224252f57d091922278796b93576
SHA51221bd87ae5cd67d9399ce24ddd984bf5e1b0d9c61b8007eb450e801fe0088f51b503919a2a8182f879abe08351529b5b8f4915ef523c387cb0c31bd3c86ef0cb0
-
Filesize
10KB
MD54fc15d0cc61569727482f7d73ff74dd1
SHA184bfd1642143e2bc8e256ee3bf604926c47a1c49
SHA256b6bcd108dc56cb91c3889195edf90ba92d708901ced7b968c7cddad3a4376ec7
SHA512aeba492b1286b034a2769f53aa2bb1a14485a9ba313d828dd8b79a55a8532968b2586a60df6ebd0ae7ef2aeaf6d93f81ecb71c1e22fa7df5fc117f0a3054aeaa
-
Filesize
2KB
MD507c0799f041fd561622f5b4e5d4651e6
SHA193b1da78852b003864a9e6587e790284a4b69af6
SHA25658706f7ec054dce1e89234f3a642d563650818ad2058edf0507cc92055e5f6b6
SHA512c9a04ce1022d0250b587791144abac99948bd8821837892c595344fe8450eb709bdfd27a73c0cc02b6166f3512499560d471da43e5decba50c05be8cbb5d42d2
-
Filesize
2KB
MD56cafafdc33f9ebbe3a7167e77f2eb7cc
SHA1e6d20199ebba7b986b015e853356659f3c2f467c
SHA256ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033
SHA512236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad
-
Filesize
2KB
MD56cafafdc33f9ebbe3a7167e77f2eb7cc
SHA1e6d20199ebba7b986b015e853356659f3c2f467c
SHA256ac417c9c51fc9aebdfbeeda04c913b9c6fab8845de9435dc81885f30ba149033
SHA512236495b61dd715d554d6a193bd2a767ce86342a7c0d7148c304c7c7f28d212a92c00d104a52b9e0e823d3b2c953ff4950398e61e2987693e9f5a988fae5460ad
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
4.1MB
MD55283cdd674c839582d319aabafaad58e
SHA104f113b8d35ed25942fcf11e830c3161004f5c18
SHA25646e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d
-
Filesize
1.5MB
MD5107010beec076341ed4728108616ae14
SHA1d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78
-
Filesize
1.5MB
MD5107010beec076341ed4728108616ae14
SHA1d521c427abf30e3dea44b2e3a6715310b13d5236
SHA256a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52
SHA512c3646f0d843750387e5b839247777ae8ad2ac09c8a421f5f51f9da537de753fbe2598b172e704a1e80265305f08c66cd5e60130cbaca52774bc0451ab032ca78
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
115B
MD5e3df28bbdec9b43526669c0648443dbf
SHA181bbb1c5aea563f91bce61cf79f3cfc7f69d760d
SHA2567b573c1cbda5ff15ce7ec01d2d7cc7f0cb6989ac833d257d3f8e6e7a61b24ddc
SHA512fa2f26347174e260b09e6b7e035e6ff2a9dc0293c886255db3a19927ee35df4b318b712f3366bbf8f0f814cfde08bf60c81c639f2f345e3714f6110b9bc33f62
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
221KB
MD573089952a99d24a37d9219c4e30decde
SHA18dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA2569aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA5127088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2
-
Filesize
89KB
MD598a2734462446ebf5db975552f8c3c8e
SHA1c75f3c8fbe8525612e77567a0ecd9ecb64cc661c
SHA256910708cc129975a0a98380675d997f51d329d0dec207f7dfcf0b1bb894169742
SHA512a262383efa2c8444ee57f40a5ffe7fd6ea4d837ae4104b28f573a7e5ceb094aeafba81b64be8eb52dd8dcb14f786a17e4afbb6b144f64731bd860abe6f31a46e
-
Filesize
89KB
MD5f618643bee2aa9e0e4638eef2c79c7f9
SHA142386067fea65158cf37c37205480c75c1f720ab
SHA256e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113
SHA5128ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4
-
Filesize
89KB
MD5f618643bee2aa9e0e4638eef2c79c7f9
SHA142386067fea65158cf37c37205480c75c1f720ab
SHA256e04b98a1ec88ebed5aafc755de5d358205e5f808fbc0c3c9644b5d0342b92113
SHA5128ff98362ff36d92be50a3c22f1f41ab57b287f161b214d03db490dc18f83c8afd6deb25913b2a71ab077f69f2ccd9769b43a5d1f4c2fb8027ab81c07f43edbc4
-
Filesize
1.4MB
MD545c070db952b920b2564fb09653b050f
SHA195f02426bd86ecd8af5a5f7eaa947d9e739ea722
SHA2563f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb
SHA51206579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464
-
Filesize
1.4MB
MD545c070db952b920b2564fb09653b050f
SHA195f02426bd86ecd8af5a5f7eaa947d9e739ea722
SHA2563f7aa7a0a753e93e66ee6d752e218777de63e3a40559bf6faabf5576fa0da3eb
SHA51206579be6f6d7465e9533bedd12dcd1a44c538396c78a0f34abd9f73162a10359736e3e6a988b7736802d10fa7b9272579647df341bee5a1c3c70683d4ec5f464
-
Filesize
1.3MB
MD55e5e0f3b6bd23c17863a01d7e4439671
SHA12ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a
SHA256db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab
SHA512545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a
-
Filesize
1.3MB
MD55e5e0f3b6bd23c17863a01d7e4439671
SHA12ac6bbedefd43a4fb1acb1b86982ff19ea5ffe8a
SHA256db3f5deaf908591e151bdb9b23661598a8e6fb49973908c3fcea984b53897aab
SHA512545ca59ef97f0dc4b3ca7830e58a7845915048fc8fffa365d7b3d555f77942cd5c906f4cad384c169c1ca511f3e50a31a8a4a36a101ac6069f2f469faef6e89a
-
Filesize
182KB
MD5f87b7e6becd44618753e035967c8bc97
SHA185be3124ab32215ec98b2e28239c743d3c47bb65
SHA256081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398
SHA512b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8
-
Filesize
182KB
MD5f87b7e6becd44618753e035967c8bc97
SHA185be3124ab32215ec98b2e28239c743d3c47bb65
SHA256081b4842b5f44def9feaedb09130cd43a53b0c6c009e87318f9135705b258398
SHA512b9e72eaaf00d26050425a0758a8e6725544336c4ece254b491288041f30396813bcb5a54e57dccab115d324dcf5e2287c5f4410a0e17f3635f767b227e84c1d8
-
Filesize
1.2MB
MD5731804f286ac23b62c6951e391295dc3
SHA18ce9a489bbe074442b0039b6e83e1b1010761c96
SHA25607b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384
SHA51208e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c
-
Filesize
1.2MB
MD5731804f286ac23b62c6951e391295dc3
SHA18ce9a489bbe074442b0039b6e83e1b1010761c96
SHA25607b9a6f0b74d7083daab9dbd86faaa99341f5b7fe7f09c2bf00b4b0c1ca9d384
SHA51208e02ad30de3d3aa3de995262a338229f78d43f30a0b030dfa7b2bd592e70d5e91fbd082b765075366b79fdf2352a90c9e348531aa9095d0ad5a18849e04537c
-
Filesize
1.2MB
MD5e7f0ff0fc5d8ea2d182ae44634559875
SHA1a7b2e67408a3f1d28d494c8a28089ca6347e3bff
SHA256d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154
SHA512cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c
-
Filesize
1.2MB
MD5e7f0ff0fc5d8ea2d182ae44634559875
SHA1a7b2e67408a3f1d28d494c8a28089ca6347e3bff
SHA256d30cdc5c8dcc4fae16924de9e07d71de570b81aa8f8746fad42c4193dee99154
SHA512cab1b57bd4ee2f32c71f9b787bc150bbfc9aeb103d1b636cbec572d543f6056b49ace8fd84a7c4d34499abcaae06a6fa4462d14a1c7a6e0e52be481c8dac729c
-
Filesize
1.1MB
MD57314f5a7e85457f5c2158ec8284a4b68
SHA1d0fe48e2652816ab7a1177424827a626d055f57e
SHA256233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA5128ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
761KB
MD5ee6710d772b4fa041ae3a6f57e8d7c05
SHA192345b8a2ece6d56842520922dd9f656cf347e96
SHA25673b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698
SHA512d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c
-
Filesize
761KB
MD5ee6710d772b4fa041ae3a6f57e8d7c05
SHA192345b8a2ece6d56842520922dd9f656cf347e96
SHA25673b205f448b646e118fbaf2b64497d60ae79e7c528f69dda34aef6028ef91698
SHA512d200796376d83c7723e3a041e5a30f5e07849ced11f313b5d51f0752e2e5fb85d225bb7ffc6f309408444adb9db881e1325e8428374e44980de42f1763033d0c
-
Filesize
1.0MB
MD54b71097cb66757380b5ec0a38c2d94ba
SHA1caa6264beb33a03d7c48a7161f7ee31165325149
SHA256d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a
SHA51253529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc
-
Filesize
1.0MB
MD54b71097cb66757380b5ec0a38c2d94ba
SHA1caa6264beb33a03d7c48a7161f7ee31165325149
SHA256d8dde65c2b2dd28a17679b543ba68a44d16cd6425d660ed2fb3cec04dc48a13a
SHA51253529523bbd921f2714929da1627e5678b1762a67d6307c0dd9d359f8f534b867c76ba40a678179a1551166e883acad8b378dd0ba1424e78b082e2f9f27216bc
-
Filesize
1.1MB
MD57314f5a7e85457f5c2158ec8284a4b68
SHA1d0fe48e2652816ab7a1177424827a626d055f57e
SHA256233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA5128ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3
-
Filesize
1.1MB
MD57314f5a7e85457f5c2158ec8284a4b68
SHA1d0fe48e2652816ab7a1177424827a626d055f57e
SHA256233f77d91996d0dfc883f9610e6ff108c3f6295cfbe9f03f934b1ebbba4c506e
SHA5128ce8ab0a9ee2aa98a2d2a4388050f968ab0d8315b4f35843e12859fab373365989370a0ebc6f6fab178f694738d6e29241ff5ef4e76ba6c83c913bf0903e44b3
-
Filesize
654KB
MD536024673cee80572094007a7ba08f777
SHA13064cf2839d807bf51504e310f04f74bbb34bf0a
SHA256b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9
SHA5120c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3
-
Filesize
654KB
MD536024673cee80572094007a7ba08f777
SHA13064cf2839d807bf51504e310f04f74bbb34bf0a
SHA256b3bc9835cbe05e8b7123c4732755b484d123251d47b9c10c8bd81d48602fc0c9
SHA5120c7b6546689369f0ea72f596b0b5154f566bd362749da7bd43985c56d60b56b42d51fafe6684ae3aeda10bc74c0f95753e90b10f519026e4a57844e28c9e30f3
-
Filesize
30KB
MD518e8cb54afe4297f575b8e36f8435507
SHA1f3d37745532e8d3a927e643cd4254241643592ce
SHA256a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce
SHA5123dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19
-
Filesize
30KB
MD518e8cb54afe4297f575b8e36f8435507
SHA1f3d37745532e8d3a927e643cd4254241643592ce
SHA256a09a41030a60089ba2d75eabd36803245a8c0d440091f051e852c8c77cbd32ce
SHA5123dae2b0dc9f7586a9f1178ab79af188657ffbccc94d8aae28ed62ff4c5e3904fceecc5cbd9e542bd4d00a27b7e67ee67a33d73a185b420d80e148e4922ff1f19
-
Filesize
530KB
MD55591fa6d152b131e005b9ed6b89ed840
SHA1f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8
SHA25608e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b
SHA5128e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96
-
Filesize
530KB
MD55591fa6d152b131e005b9ed6b89ed840
SHA1f82e64e762cea9931fb1cfe0cb2d9d9e7967fbc8
SHA25608e5c77bc79c414a0a179c195938ddc4adf18cf5d611872cc64946641d2eea9b
SHA5128e610d5630bf4184458991accadaee184497d46bf8f28991236f26fc11f34e12b5b20b4f5a762056f2fbc3863d661b06c4673500624028b3579358ba4ac0ed96
-
Filesize
1.1MB
MD59046d6452dc56f767b5634b91984df5b
SHA12652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9
-
Filesize
891KB
MD56dec1233e7b5edaf74e4dc71803ab6b4
SHA199d93d0d63b295755f5e8d6cf0c272e68224c8e0
SHA256dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75
SHA5121f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766
-
Filesize
891KB
MD56dec1233e7b5edaf74e4dc71803ab6b4
SHA199d93d0d63b295755f5e8d6cf0c272e68224c8e0
SHA256dbf4029ba1fda3b3cecbdcd0898ae28595b3e3560c183250122eefb5b33fcd75
SHA5121f9390ac5636c742cd605e2864091366df52aea0fdc6172323b0d4110a760b7a201761033f3619afd13b9bc938a755c1bdfe761d5e856d55e8876e1d6eea6766
-
Filesize
1.1MB
MD59046d6452dc56f767b5634b91984df5b
SHA12652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9
-
Filesize
1.1MB
MD59046d6452dc56f767b5634b91984df5b
SHA12652f44290e9aa986150c1d8ab0ebfd09dbaedfc
SHA256065c2a915f5d18dff55ae9638fe2cfd99cdbb56bad37a6e62972d41180b53d01
SHA512fed245375b595b7a1a66bcf91cbc9407fbaa3f35ae7c270879dea494fce8a7b144a6d293af8e4416ae09477edfb2caeb929c87eaaa4ffad4077bb8a63d4fe5b9
-
Filesize
6.5MB
MD5f521630a23b8bd0f2260fefb2c596495
SHA1014454c72bbf67b103372cc8f9b965ed6b83b74f
SHA25699076c101d2d20a0f7c97376e330f7b39ee5dd6885582f49eff6c041973fc3f1
SHA5124e033586834f15bc471184706cc10822ac6be52a2639df7b5973f14fda7bd440829f15e7ce112049c6d04cb445ef5393943ed47e19c2107bfc063db13d6e0d4d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
219KB
MD5485ca334a9cccf3c67f3bc2f5818e438
SHA170677dc0b2375fbbdd03be0aa74961a48161fb1d
SHA25663736f770cf2740fcd586d6cff9e01fe836bcbe7708dbb69d3b2bd81be207d02
SHA51280bdf4e716e55ee05a89f03c00b81c67e83550d6f7eb5f4cb9c839baacf13b2be1ce006899131f183f9e7c2f9b3bd47b750098855df26a3044f8d4f138fba7e3
-
Filesize
8KB
MD501707599b37b1216e43e84ae1f0d8c03
SHA1521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA5129f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
180KB
MD54d1f0d9bfac03f5237d800cd61ed1133
SHA1a8d2884e093ac24d23d48c804f617a0115fe697c
SHA2562b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9