Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22/11/2023, 22:21
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231023-en
General
-
Target
file.exe
-
Size
261KB
-
MD5
0d546c070d24fc673e397df12f20d221
-
SHA1
afd76c7cd0d61176faef5bec7e2c9b0fccd68b4c
-
SHA256
ef74c4c21db18cfae6ef7ec3761c074d433f81945835613f0772c87c077cb137
-
SHA512
fdd1f5bef2fc395cff5cefab300f5988efbfbe8af64272eb9aa1d1799d15f4c57a9d3f2382a96106e27dfef43f1ade972890610b1f79e35c1f5e92961fb0da11
-
SSDEEP
3072:vwdS7GTWpu5cc2ScxIt/Q70p3vYr4yUkF5Nf/PEIPT:xzpuh2TItIQryUCf/Pn
Malware Config
Extracted
smokeloader
2022
http://onualituyrs.org/
http://sumagulituyo.org/
http://snukerukeutit.org/
http://lightseinsteniki.org/
http://liuliuoumumy.org/
http://stualialuyastrelia.net/
http://kumbuyartyty.net/
http://criogetikfenbut.org/
http://tonimiuyaytre.org/
http://tyiuiunuewqy.org/
Extracted
djvu
http://zexeq.com/lancer/get.php
-
extension
.iicc
-
offline_id
MI4io8cIlhyYsGaDxoKsbpWzfIe5lGPE0dYtrht1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-Y6UIMfI736 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0826ASdw
Extracted
redline
LogsDiller Cloud (Bot: @logsdillabot)
194.49.94.181:40264
Signatures
-
Detected Djvu ransomware 17 IoCs
resource yara_rule behavioral1/memory/2948-36-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2756-33-0x0000000000A10000-0x0000000000B2B000-memory.dmp family_djvu behavioral1/memory/2948-32-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-37-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2948-76-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-96-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-98-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1704-123-0x0000000000A30000-0x0000000001252000-memory.dmp family_djvu behavioral1/memory/1704-129-0x0000000075F70000-0x0000000076080000-memory.dmp family_djvu behavioral1/memory/2448-131-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-132-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-174-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-224-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-247-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-249-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-277-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2448-301-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 7 IoCs
resource yara_rule behavioral1/memory/2240-46-0x0000000002B50000-0x000000000343B000-memory.dmp family_glupteba behavioral1/memory/2240-47-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2240-81-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2240-85-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2240-116-0x0000000002B50000-0x000000000343B000-memory.dmp family_glupteba behavioral1/memory/2240-114-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/1704-123-0x0000000000A30000-0x0000000001252000-memory.dmp family_glupteba -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2112-465-0x0000000000400000-0x000000000043C000-memory.dmp family_redline behavioral1/memory/2112-466-0x0000000000400000-0x000000000043C000-memory.dmp family_redline behavioral1/memory/2112-468-0x0000000000400000-0x000000000043C000-memory.dmp family_redline behavioral1/memory/2112-470-0x0000000000400000-0x000000000043C000-memory.dmp family_redline behavioral1/memory/2112-472-0x0000000000400000-0x000000000043C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs
description pid Process procid_target PID 2000 created 1216 2000 latestX.exe 15 PID 2000 created 1216 2000 latestX.exe 15 PID 2000 created 1216 2000 latestX.exe 15 PID 2000 created 1216 2000 latestX.exe 15 PID 2000 created 1216 2000 latestX.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 1576 created 1216 1576 mi.exe 15 PID 2764 created 1216 2764 updater.exe 15 PID 2764 created 1216 2764 updater.exe 15 PID 2764 created 1216 2764 updater.exe 15 PID 2764 created 1216 2764 updater.exe 15 PID 2764 created 1216 2764 updater.exe 15 PID 2764 created 1216 2764 updater.exe 15 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D3F4.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" D3F4.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3FF1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6D98.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mi.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts latestX.exe File created C:\Windows\System32\drivers\etc\hosts mi.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2176 netsh.exe 2632 netsh.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3FF1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3FF1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6D98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6D98.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mi.exe -
Deletes itself 1 IoCs
pid Process 1216 Explorer.EXE -
Executes dropped EXE 27 IoCs
pid Process 2756 C41A.exe 2948 C41A.exe 2240 D3F4.exe 908 C41A.exe 2780 150A.exe 2448 C41A.exe 2404 D3F4.exe 1704 3FF1.exe 1288 InstallSetup5.exe 2012 toolspub2.exe 1644 5611.exe 2472 d21cbe21e38b385a41a68c5e6dd32f4c.exe 1928 6D98.exe 2000 latestX.exe 1316 build2.exe 2680 Broom.exe 1460 build3.exe 1544 build2.exe 2764 updater.exe 1984 build3.exe 1576 mi.exe 2612 d21cbe21e38b385a41a68c5e6dd32f4c.exe 2900 toolspub2.exe 2508 csrss.exe 1712 patch.exe 1348 injector.exe 1776 updater.exe -
Loads dropped DLL 28 IoCs
pid Process 2632 regsvr32.exe 2756 C41A.exe 2948 C41A.exe 2948 C41A.exe 908 C41A.exe 2780 150A.exe 2780 150A.exe 2780 150A.exe 2780 150A.exe 2780 150A.exe 2780 150A.exe 2448 C41A.exe 2448 C41A.exe 1288 InstallSetup5.exe 2448 C41A.exe 2448 C41A.exe 2004 taskeng.exe 2112 AppLaunch.exe 2012 toolspub2.exe 2404 D3F4.exe 2404 D3F4.exe 860 Process not Found 1712 patch.exe 1712 patch.exe 1712 patch.exe 1712 patch.exe 1712 patch.exe 2508 csrss.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1960 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0008000000016d63-121.dat themida behavioral1/files/0x0008000000016d63-154.dat themida behavioral1/memory/1704-186-0x0000000000A30000-0x0000000001252000-memory.dmp themida behavioral1/files/0x0005000000005b82-190.dat themida behavioral1/files/0x0005000000005b82-238.dat themida behavioral1/files/0x000300000000f703-749.dat themida behavioral1/files/0x000300000000f703-752.dat themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D3F4.exe = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" D3F4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" D3F4.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\714c3047-99b9-4996-8eca-0c69cb3a3658\\C41A.exe\" --AutoStart" C41A.exe Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" D3F4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3FF1.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6D98.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 api.2ip.ua 21 api.2ip.ua 26 api.2ip.ua -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1704 3FF1.exe 1928 6D98.exe 1576 mi.exe -
Suspicious use of SetThreadContext 8 IoCs
description pid Process procid_target PID 2756 set thread context of 2948 2756 C41A.exe 31 PID 908 set thread context of 2448 908 C41A.exe 44 PID 1316 set thread context of 1544 1316 build2.exe 60 PID 1644 set thread context of 2112 1644 5611.exe 62 PID 1460 set thread context of 1984 1460 build3.exe 90 PID 2012 set thread context of 2900 2012 toolspub2.exe 98 PID 2764 set thread context of 1580 2764 updater.exe 152 PID 2764 set thread context of 2532 2764 updater.exe 153 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN D3F4.exe File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe latestX.exe File created C:\Program Files\Google\Chrome\updater.exe mi.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\rss\csrss.exe D3F4.exe File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\Logs\CBS\CbsPersist_20231122222206.cab makecab.exe File opened for modification C:\Windows\rss D3F4.exe -
Launches sc.exe 15 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 768 sc.exe 2460 sc.exe 2008 sc.exe 1052 sc.exe 2420 sc.exe 944 sc.exe 1916 sc.exe 2084 sc.exe 1592 sc.exe 2676 sc.exe 1996 sc.exe 1736 sc.exe 2984 sc.exe 2684 sc.exe 2504 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2068 schtasks.exe 1920 schtasks.exe 2876 schtasks.exe 2600 schtasks.exe 1984 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2868 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" D3F4.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates explorer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20b1a886921dda01 powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" D3F4.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" D3F4.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" D3F4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" D3F4.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2292 file.exe 2292 file.exe 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1216 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2292 file.exe 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 2900 toolspub2.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
description pid Process Token: SeDebugPrivilege 2240 D3F4.exe Token: SeImpersonatePrivilege 2240 D3F4.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 1860 powershell.exe Token: SeShutdownPrivilege 880 powercfg.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1704 3FF1.exe Token: SeDebugPrivilege 1928 6D98.exe Token: SeShutdownPrivilege 2760 powercfg.exe Token: SeShutdownPrivilege 2644 powercfg.exe Token: SeShutdownPrivilege 2344 powercfg.exe Token: SeDebugPrivilege 2112 AppLaunch.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 2472 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeImpersonatePrivilege 2472 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeSystemEnvironmentPrivilege 2508 csrss.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeShutdownPrivilege 2620 powercfg.exe Token: SeShutdownPrivilege 1564 powercfg.exe Token: SeShutdownPrivilege 2192 powercfg.exe Token: SeShutdownPrivilege 2768 powercfg.exe Token: SeDebugPrivilege 1948 powershell.exe Token: SeShutdownPrivilege 1104 powercfg.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeShutdownPrivilege 2932 powercfg.exe Token: SeShutdownPrivilege 2664 powercfg.exe Token: SeShutdownPrivilege 2816 powercfg.exe Token: SeDebugPrivilege 2764 updater.exe Token: SeLockMemoryPrivilege 2532 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2680 Broom.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1216 wrote to memory of 2756 1216 Explorer.EXE 28 PID 1216 wrote to memory of 2756 1216 Explorer.EXE 28 PID 1216 wrote to memory of 2756 1216 Explorer.EXE 28 PID 1216 wrote to memory of 2756 1216 Explorer.EXE 28 PID 1216 wrote to memory of 2744 1216 Explorer.EXE 29 PID 1216 wrote to memory of 2744 1216 Explorer.EXE 29 PID 1216 wrote to memory of 2744 1216 Explorer.EXE 29 PID 1216 wrote to memory of 2744 1216 Explorer.EXE 29 PID 1216 wrote to memory of 2744 1216 Explorer.EXE 29 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2744 wrote to memory of 2632 2744 regsvr32.exe 30 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 2756 wrote to memory of 2948 2756 C41A.exe 31 PID 1216 wrote to memory of 2240 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2240 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2240 1216 Explorer.EXE 32 PID 1216 wrote to memory of 2240 1216 Explorer.EXE 32 PID 2948 wrote to memory of 1960 2948 C41A.exe 37 PID 2948 wrote to memory of 1960 2948 C41A.exe 37 PID 2948 wrote to memory of 1960 2948 C41A.exe 37 PID 2948 wrote to memory of 1960 2948 C41A.exe 37 PID 2948 wrote to memory of 908 2948 C41A.exe 39 PID 2948 wrote to memory of 908 2948 C41A.exe 39 PID 2948 wrote to memory of 908 2948 C41A.exe 39 PID 2948 wrote to memory of 908 2948 C41A.exe 39 PID 1216 wrote to memory of 2780 1216 Explorer.EXE 40 PID 1216 wrote to memory of 2780 1216 Explorer.EXE 40 PID 1216 wrote to memory of 2780 1216 Explorer.EXE 40 PID 1216 wrote to memory of 2780 1216 Explorer.EXE 40 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 908 wrote to memory of 2448 908 C41A.exe 44 PID 1216 wrote to memory of 1704 1216 Explorer.EXE 46 PID 1216 wrote to memory of 1704 1216 Explorer.EXE 46 PID 1216 wrote to memory of 1704 1216 Explorer.EXE 46 PID 1216 wrote to memory of 1704 1216 Explorer.EXE 46 PID 2780 wrote to memory of 1288 2780 150A.exe 48 PID 2780 wrote to memory of 1288 2780 150A.exe 48 PID 2780 wrote to memory of 1288 2780 150A.exe 48 PID 2780 wrote to memory of 1288 2780 150A.exe 48 PID 2780 wrote to memory of 1288 2780 150A.exe 48 PID 2780 wrote to memory of 1288 2780 150A.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2292
-
-
C:\Users\Admin\AppData\Local\Temp\C41A.exeC:\Users\Admin\AppData\Local\Temp\C41A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\C41A.exeC:\Users\Admin\AppData\Local\Temp\C41A.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\714c3047-99b9-4996-8eca-0c69cb3a3658" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\C41A.exe"C:\Users\Admin\AppData\Local\Temp\C41A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\C41A.exe"C:\Users\Admin\AppData\Local\Temp\C41A.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build2.exe"C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1316 -
C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build2.exe"C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build2.exe"7⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies system certificate store
PID:1544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\IDAEHCFHJJ.exe"8⤵PID:584
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build2.exe" & del "C:\ProgramData\*.dll"" & exit8⤵PID:2624
-
C:\Windows\SysWOW64\timeout.exetimeout /t 59⤵
- Delays execution with timeout.exe
PID:2868
-
-
-
-
-
C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build3.exe"C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1460 -
C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build3.exe"C:\Users\Admin\AppData\Local\05b80f49-0359-4663-9795-4fb69894d82b\build3.exe"7⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"8⤵
- Creates scheduled task(s)
PID:2068
-
-
-
-
-
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C7B3.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\C7B3.dll3⤵
- Loads dropped DLL
PID:2632
-
-
-
C:\Users\Admin\AppData\Local\Temp\D3F4.exeC:\Users\Admin\AppData\Local\Temp\D3F4.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\D3F4.exe"C:\Users\Admin\AppData\Local\Temp\D3F4.exe"3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2404 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵PID:2208
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2632
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
PID:1920
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:2320
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
PID:1348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\150A.exeC:\Users\Admin\AppData\Local\Temp\150A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2900
-
-
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:2612 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"5⤵PID:2124
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes6⤵
- Modifies Windows Firewall
PID:2176
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\latestX.exe"C:\Users\Admin\AppData\Local\Temp\latestX.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:2000
-
-
-
C:\Users\Admin\AppData\Local\Temp\3FF1.exeC:\Users\Admin\AppData\Local\Temp\3FF1.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\5611.exeC:\Users\Admin\AppData\Local\Temp\5611.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
PID:1576
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6D98.exeC:\Users\Admin\AppData\Local\Temp\6D98.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2820
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:612
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:768
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2084
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1052
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2420
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:944
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1444
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1984
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1452
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2984
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1592
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2008
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2684
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2676
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"2⤵PID:2752
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1584
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\ogxcngdqzicz.xml"2⤵
- Creates scheduled task(s)
PID:2876
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2544
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1780
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2504
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2460
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1736
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:892
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2428 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2600
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1580
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231122222206.log C:\Windows\Logs\CBS\CbsPersist_20231122222206.cab1⤵
- Drops file in Windows directory
PID:1528
-
C:\Windows\system32\taskeng.exetaskeng.exe {85603B4E-C5D2-4551-A5EF-B4FC312D5B15} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2004 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Executes dropped EXE
PID:1776
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /D /T1⤵PID:1212
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5e8115cd4deb7c7f08d5b40eea4c336c6
SHA155dc5c576eaa87bd87380f5ff11ded0bc434bfcf
SHA256792cb4f801fd293addb64d6686077ef8b034cda21dfee3110f23a995c9dedf19
SHA5120a3e98e2628e27263e0ec3b9370642468ca62cc03023c5a5776a776b99388b5bc266fe509f42d82855740548a8e2b13eba68f6c0c51ad4edb804c79555b1877d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD56a7988d6141f5d81ffb64404ffbfb9d7
SHA1bf35d559193243bdd52f8b1d0741f3c80469802a
SHA256b1cb44408229d30ba86db5d1bf3afdd10f57c19430c785ff61fc38443c7b905c
SHA512d8b26208fb075ff76897b6beac7fa041ee5810be13789c4bb5bad337adfb55a36d6e64267ee78f6c7d833c8ea05f1d9de89a5ac4839bb4d417ff92ed63cffc43
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b39424f1d2e866b4e2653fde121d83da
SHA1190019a6022f49e8e449cafce709893d7141ed39
SHA256939ffef3b2fbea33927f4d1d36861bd620fce76773c2c8c9dbb1dfce6849bbce
SHA51213894cb57d5fdf487f50deac8f3ac9174b90e302088279c9fc7c63e7e5146cc8539af19f00ef2a07a6f0185eb59b608215b3824ab8d61cef1e1ae1d1d605428a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53d44928a6bf82c5d8dd2c0037825e09e
SHA1b7c0dbe38d00e01e86623d08edf5b1b8bc9e300f
SHA25686f58bf6ad4de91b579d98856999e356ffbefc1a5842a793bacb510e38fe215a
SHA51271c8d74e79228f2fc5ff6b99d0ebe4482d147b138087918c9a3ba5d2d4b56e07d4be7763728c1461d6e62f12f1a8091b45bfdc78f40d0e923564dbfce091504e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD5fcf1a2a4b97d36270616ff80db70e3c4
SHA123dbb016cd36192a7a67686e22323ade7f27a2d5
SHA2569484039515fb0826e3f87be8d598bb879c1723a429ee88a532bd6f6021fb4f60
SHA512a92e0f4785615da9ccae582e4f6b31847b9c7be28bd46dff6ee71fd6f24f7521f9eb1647eaab7455bd4b6acaaa26fbc6957e7cd9bba00229a9aa332d75447899
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5176eadc69555a8a8a68b96b21a800855
SHA1745cce27f752773342928dca1ff4e47e7e4a2932
SHA2561751015257e5ca298ccc8ac0748a2a95116444ce7f134714ab57313b3e0a22be
SHA5126b30ea9bd8c5fda7a328db5a071fffde3c710d9c8830b83bf9589ead8d6449e2f6ebc87d41c9b4e88ce29a0d251bc88ccab8e0187c396bcc9e432fba01856e50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5176eadc69555a8a8a68b96b21a800855
SHA1745cce27f752773342928dca1ff4e47e7e4a2932
SHA2561751015257e5ca298ccc8ac0748a2a95116444ce7f134714ab57313b3e0a22be
SHA5126b30ea9bd8c5fda7a328db5a071fffde3c710d9c8830b83bf9589ead8d6449e2f6ebc87d41c9b4e88ce29a0d251bc88ccab8e0187c396bcc9e432fba01856e50
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
12.3MB
MD5788ae36c88bdc0b60fb4455d833b486c
SHA10e00efd8a59dc6bb0d17589104a1e048d2123877
SHA2563ce85883196c60029ea274d02b47b099e5d8b0f8b8acee778605857a51ee72e2
SHA512ad47042b3ebd8b9c2153c43046e2a399ddd01350526878493e1f234f7cd8f42356cd6e150ea1b9d70b52cea24a27898cf5f9c8a1be395cca19050fbb173d525d
-
Filesize
12.3MB
MD5788ae36c88bdc0b60fb4455d833b486c
SHA10e00efd8a59dc6bb0d17589104a1e048d2123877
SHA2563ce85883196c60029ea274d02b47b099e5d8b0f8b8acee778605857a51ee72e2
SHA512ad47042b3ebd8b9c2153c43046e2a399ddd01350526878493e1f234f7cd8f42356cd6e150ea1b9d70b52cea24a27898cf5f9c8a1be395cca19050fbb173d525d
-
Filesize
2.9MB
MD5b7fcbcbec2fc5da47fc2ff72eb185f1f
SHA174019a27b2fa7a8b7410d1fa21b720fd5ba87faf
SHA256c7d73b2881a094fd28cc529d4ae52081742bfb099af28767bfbdb354189c608d
SHA5122bb9f539f530bce86e7b55cdd54bde46ff0477a8e2a66b58be62719555bf37e5f0aeb346f3a48b36cb75a9f7c1dea41d0041ba70ed86bef7969a32d6a7a69615
-
Filesize
2.9MB
MD5b7fcbcbec2fc5da47fc2ff72eb185f1f
SHA174019a27b2fa7a8b7410d1fa21b720fd5ba87faf
SHA256c7d73b2881a094fd28cc529d4ae52081742bfb099af28767bfbdb354189c608d
SHA5122bb9f539f530bce86e7b55cdd54bde46ff0477a8e2a66b58be62719555bf37e5f0aeb346f3a48b36cb75a9f7c1dea41d0041ba70ed86bef7969a32d6a7a69615
-
Filesize
1.9MB
MD5f7fb4aad83cd709349c92b39599ab872
SHA19f2299651d68b1ff0ece39574ec0b88fa0504500
SHA25654c1f8810d2d8056f666617bfd6cdc3644732ead4c6e72dd5ee3bee6fe3a148b
SHA51272a410cb7586a7c85881f5ced332493079d69eeda9b7e3b486208a936af243a38aa6953882dc3f23074676347726a85dcc7013ca9615685a7b04a6b3b02a50ed
-
Filesize
1.9MB
MD5f7fb4aad83cd709349c92b39599ab872
SHA19f2299651d68b1ff0ece39574ec0b88fa0504500
SHA25654c1f8810d2d8056f666617bfd6cdc3644732ead4c6e72dd5ee3bee6fe3a148b
SHA51272a410cb7586a7c85881f5ced332493079d69eeda9b7e3b486208a936af243a38aa6953882dc3f23074676347726a85dcc7013ca9615685a7b04a6b3b02a50ed
-
Filesize
2.7MB
MD551715bae817a6663a0af48759cf295ba
SHA1adc692bca60e3f83a6c73899f0be575c5e093b62
SHA25691c91dd407422587981f0a77fec9f173d02baf1048658fdfa081ef8a934439b1
SHA512149da22a70b3dac962ff302351dec1c514eb3925ea296658da5871526d85bbd71b9191e4dc95ed82215354d520ff84ecf081a30ce2f715c1b1974c8a92af8f4b
-
Filesize
2.7MB
MD551715bae817a6663a0af48759cf295ba
SHA1adc692bca60e3f83a6c73899f0be575c5e093b62
SHA25691c91dd407422587981f0a77fec9f173d02baf1048658fdfa081ef8a934439b1
SHA512149da22a70b3dac962ff302351dec1c514eb3925ea296658da5871526d85bbd71b9191e4dc95ed82215354d520ff84ecf081a30ce2f715c1b1974c8a92af8f4b
-
Filesize
5.3MB
MD500e93456aa5bcf9f60f84b0c0760a212
SHA16096890893116e75bd46fea0b8c3921ceb33f57d
SHA256ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
2.8MB
MD510588d36a931fdf33941efe5e30a19dc
SHA1e301cc043d7e3879c22e24f02e3ecc70ea62ad88
SHA25624da42b0cf9e89556d4461a380302656abe834315232657d5a00feb4a2891170
SHA5120f10b41ddb270f784d6a4bbb33a3ae4dc1341cf0ed5afcc563ebf130c8dfd84d50f36acf5413c964f6be83a249e910236acdd650dc5f2b3cba3228724c281804
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
4.2MB
MD5890bfdf3c7eecbb505c0fdc415f466b3
SHA190889e27be89519f23d85915956d989b75793c8d
SHA256e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72
SHA512e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece
-
Filesize
4.2MB
MD5890bfdf3c7eecbb505c0fdc415f466b3
SHA190889e27be89519f23d85915956d989b75793c8d
SHA256e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72
SHA512e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece
-
Filesize
4.2MB
MD5890bfdf3c7eecbb505c0fdc415f466b3
SHA190889e27be89519f23d85915956d989b75793c8d
SHA256e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72
SHA512e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece
-
Filesize
4.2MB
MD5890bfdf3c7eecbb505c0fdc415f466b3
SHA190889e27be89519f23d85915956d989b75793c8d
SHA256e617e19dce9f15496c331be6daf2006a03573d50e42b34f2ae9ee4aee2bc8c72
SHA512e08f327a03ede89a8e8df0a50244458095ed8afd132be8f21323cb81cfe5fb09d18266d0f5186dfd12d48649ffbb2dd1c8ec35951702f2b99adb1075fd776ece
-
Filesize
2.3MB
MD5cba9c1d1fcbf999d9ccb04050c5c5154
SHA1554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b
-
Filesize
2.3MB
MD5cba9c1d1fcbf999d9ccb04050c5c5154
SHA1554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b
-
Filesize
163KB
MD59441737383d21192400eca82fda910ec
SHA1725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA5127608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
9.8MB
MD50c94dab8983cdcd24e20acc744d6c1fc
SHA1ce1d210b1e0f8e0c11d12dbc51ffb6a8e0ac5488
SHA256ceb16107568d6cf42532b81405b431720a209b46427a264e8b4e7015d3128a1b
SHA512f8efba22550b7a742e95429fd77fd296a8bb72ea457a20201eb4db2ea7ffb3334564b087c85cf38103cd012f06de5968041d186d61b3ad73789f3c12e1ab2388
-
Filesize
5.3MB
MD51afff8d5352aecef2ecd47ffa02d7f7d
SHA18b115b84efdb3a1b87f750d35822b2609e665bef
SHA256c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f9f6a87dc4cbfdf1bd7f143e6c15e5d1
SHA15d05350a3f056093a84666fc3143e2c1d7d91743
SHA256dab21999ff832fd7e8665f26e9aa047cd7d15aca48144a2a5de20531a89f7997
SHA512b5df58d2a32ee8ccd43f699dce5a605ffa7a7cbabf0b6f3cb34407e54f56af7312521f10c8a318afe852f333ebdd976b85188e50aedcf783b5d4ffcb856b8a52
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YUNKBDS3NM9XKXJ3518Z.temp
Filesize7KB
MD5f9f6a87dc4cbfdf1bd7f143e6c15e5d1
SHA15d05350a3f056093a84666fc3143e2c1d7d91743
SHA256dab21999ff832fd7e8665f26e9aa047cd7d15aca48144a2a5de20531a89f7997
SHA512b5df58d2a32ee8ccd43f699dce5a605ffa7a7cbabf0b6f3cb34407e54f56af7312521f10c8a318afe852f333ebdd976b85188e50aedcf783b5d4ffcb856b8a52
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
222KB
MD5cb3caf60d63416b453f082de56510f98
SHA1b06d9d1fd647e7e176d8b88c23be1b59f23ca26e
SHA256d883478d7646dd5f53a6ce22e76b432cf1023fb456d2fe8c90176b96754db9e9
SHA5121cb17bd4b917fdfcd322438c54df7bad6dc82756558fc39e531083ee02977c107de00ce0bce2553962cf2ad6a2f6d5181d5f235cda4457149539f0aa52c361e7
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
5.3MB
MD500e93456aa5bcf9f60f84b0c0760a212
SHA16096890893116e75bd46fea0b8c3921ceb33f57d
SHA256ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504
SHA512abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
725KB
MD551a1f6538e7bc1b077c363f42b98f856
SHA1b78a88eda0e8afde24722bd431f9e8fb850538e7
SHA256229f9a49f2912600deb7ea5f2e4c5fce9ae2d9ed2ef317b376571bf0a3266adf
SHA512597caa8570171304fbc9fefbdbc4f9a9e0d1db04e089d911b8928d9d99c25cefe4f9fab82a313244c73aef51a9eca838526525473bbeb3d583598b0a2f8271eb
-
Filesize
2.8MB
MD510588d36a931fdf33941efe5e30a19dc
SHA1e301cc043d7e3879c22e24f02e3ecc70ea62ad88
SHA25624da42b0cf9e89556d4461a380302656abe834315232657d5a00feb4a2891170
SHA5120f10b41ddb270f784d6a4bbb33a3ae4dc1341cf0ed5afcc563ebf130c8dfd84d50f36acf5413c964f6be83a249e910236acdd650dc5f2b3cba3228724c281804
-
Filesize
2.3MB
MD5cba9c1d1fcbf999d9ccb04050c5c5154
SHA1554e436c9c3f1f16c9a9b7ab74dd4cd191118481
SHA256c3ab7948969593528e883956dc2cb0a754a4832076bc2e9b6c4f1c7ce2002842
SHA512c7d8be36705e08fcd8a7ed8a319aac2aa1d26397081a75511408d51871daa05e21c89be7428eda8a5f7f757ba0c0e74e710e8515b26c89c19b8d7f480a1c0a0b
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
4.2MB
MD5949ec0b69598677e2a1413d267e96c29
SHA1bf67d63774bb568441bdd3357d9af1c8a36c8912
SHA256e3782310fc1c0bf50b836e4bee87785564b4d0b05c87d363651164fc9dc64d67
SHA5124e5c53d4e57890543665fa7e083de2159ebd9a3a1433d1e10a65f37f887c09f01ddcb3a69223a45514f7f0285882924da97dbf41ff1939df79278d18c1a7ca7e
-
Filesize
5.6MB
MD5bae29e49e8190bfbbf0d77ffab8de59d
SHA14a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA5129e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2
-
Filesize
9.8MB
MD50c94dab8983cdcd24e20acc744d6c1fc
SHA1ce1d210b1e0f8e0c11d12dbc51ffb6a8e0ac5488
SHA256ceb16107568d6cf42532b81405b431720a209b46427a264e8b4e7015d3128a1b
SHA512f8efba22550b7a742e95429fd77fd296a8bb72ea457a20201eb4db2ea7ffb3334564b087c85cf38103cd012f06de5968041d186d61b3ad73789f3c12e1ab2388
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a
-
Filesize
260KB
MD523a3f8ff6a8e447ee8b48e8c9e188123
SHA1bdf493ca01d7450de254187f4af38f645d7d5166
SHA2569255e00c6aa2208cc146527b062285215b6da58735ac14714d8049611bb6e5d0
SHA512645e71d205bce54b02ed4a1442ce009bfd20de89e1fc6e12648cd1c81dfc0a86ebb0e52cda14ed1d3c9bae549fa6530a08c8a75fdbc5568d0498888070bb233a