Resubmissions
11-02-2024 08:10
240211-j212ragb47 1011-02-2024 08:09
240211-j2kprseb2w 1009-02-2024 18:28
240209-w4c4xsde9t 1002-02-2024 12:52
240202-p4dxwsgfej 1002-02-2024 12:45
240202-pzapnsgdbp 1016-01-2024 15:29
240116-sw8dbaehh3 1010-01-2024 14:41
240110-r2wq2ahchl 1010-01-2024 13:29
240110-qrqatshbg3 1022-12-2023 08:48
231222-kqp1sadghq 10Analysis
-
max time kernel
374s -
max time network
378s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-01-2024 15:29
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10-20231220-en
Behavioral task
behavioral3
Sample
4363463463464363463463463.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
4363463463464363463463463.exe
Resource
win11-20231215-en
Errors
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
gh0strat
www.996m2m2.top
Extracted
remcos
Go!!!
dangerous.hopto.org:2404
dangerous.hopto.org:2602
91.92.242.184:2602
91.92.242.184:2404
-
audio_folder
??????????? ??????
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
taskhost.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
tapiui.dat
-
keylog_flag
false
-
keylog_folder
System32
-
mouse_option
false
-
mutex
???-LDKG91
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
?????????
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
| Edit 3LOSH RAT
Load_Man
leetman.dynuddns.com:1337
AsyncMutex_6SI8asdasd2casOkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
lumma
http://freckletropsao.pw/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Lumma Stealer payload V2 1 IoCs
resource yara_rule behavioral1/files/0x000400000001d953-2492.dat family_lumma_V2 -
Detect Lumma Stealer payload V4 1 IoCs
resource yara_rule behavioral1/files/0x000400000001d953-2492.dat family_lumma_v4 -
Detect ZGRat V1 15 IoCs
resource yara_rule behavioral1/memory/1248-278-0x000000001B5A0000-0x000000001B6DC000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-279-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-280-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-282-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-284-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-286-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-288-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-290-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-294-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-292-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-296-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-298-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-300-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-302-0x000000001B5A0000-0x000000001B6D6000-memory.dmp family_zgrat_v1 behavioral1/memory/1248-1215-0x000000001BC70000-0x000000001BCF0000-memory.dmp family_zgrat_v1 -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2920-119-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat behavioral1/memory/2724-134-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat behavioral1/memory/1892-138-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat behavioral1/memory/2920-143-0x0000000000400000-0x0000000000464000-memory.dmp family_gh0strat -
Modifies firewall policy service 2 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 1988 created 1196 1988 Fighting.pif 21 PID 1988 created 1196 1988 Fighting.pif 21 PID 2212 created 2124 2212 pinguin.exe 27 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1764-1549-0x0000000000080000-0x0000000000096000-memory.dmp asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AUTOKEY.exe -
Downloads MZ/PE file
-
Looks for VMWare services registry key. 1 TTPs 7 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware Restoro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware NINJA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware 2k.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VMware 4363463463464363463463463.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kk7c39o3719a.exe C9B5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kk7c39o3719a.exe\DisableExceptionChainValidation C9B5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "fdcoxwnnx.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AUTOKEY.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AUTOKEY.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SBADLH.lnk NINJA.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url cmd.exe -
Executes dropped EXE 60 IoCs
pid Process 876 done.exe 2920 lve5.exe 2724 Gsoymaq.exe 1892 Gsoymaq.exe 752 Setup2010u32.exe 320 as.exe 744 CleanUp Icons FOP.exe 1592 IconRemoval.exe 1612 7zipFOPBACKEND.exe 3048 twty.exe 1248 Zxgdah.exe 2564 Zxgdah.exe 2600 Zxgdah.exe 3032 Zxgdah.exe 2056 Zxgdah.exe 524 Zxgdah.exe 2020 Zxgdah.exe 240 Zxgdah.exe 2840 Zxgdah.exe 1936 Zxgdah.exe 1652 Zxgdah.exe 2880 asas.exe 2572 MartDrum.exe 2972 dart.exe 1988 Fighting.pif 620 cayV0Deo9jSt417.exe 972 taskhost.exe 1764 jsc.exe 2212 pinguin.exe 1872 kb%5Efr_ouverture.exe 1596 liveupdate.exe 1308 more.exe 2744 2k.exe 2840 abtc8mhlbehqil.exe 2104 Update.exe 1392 bin.exe 2908 NINJA.exe 860 more.exe 2548 images.exe 2580 system.exe 1648 images.exe 1036 file.exe 2536 tuc5.exe 1528 is-5RSIS.tmp 2448 SynapseExploit.exe 2420 UdioConverterRipper.exe 2608 UdioConverterRipper.exe 2692 crypted.exe 3024 e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe 2668 e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe 1668 system.exe 2892 AUTOKEY.exe 1468 64_6666.exe 1900 C9B5.exe 916 soft.exe 928 E6E7.exe 2736 Restoro.exe 2808 sqlite3.exe 1784 sqlite3.exe 2708 sqlite3.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 752 Setup2010u32.exe 752 Setup2010u32.exe 1496 Process not Found 752 Setup2010u32.exe 752 Setup2010u32.exe 752 Setup2010u32.exe 752 Setup2010u32.exe 2124 4363463463464363463463463.exe 3048 twty.exe 3048 twty.exe 2124 4363463463464363463463463.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 2124 4363463463464363463463463.exe 2756 Process not Found 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2212 cmd.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 1304 clip.exe 3048 twty.exe 1988 Fighting.pif 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2456 WerFault.exe 2456 WerFault.exe 2212 pinguin.exe 1596 liveupdate.exe 2456 WerFault.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2744 2k.exe 1848 2k.exe 2124 4363463463464363463463463.exe 1540 cmd.exe 2124 4363463463464363463463463.exe 2908 NINJA.exe 1308 more.exe 2400 cmd.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2536 tuc5.exe 2536 tuc5.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe -
resource yara_rule behavioral1/files/0x0007000000015e09-78.dat upx behavioral1/memory/2920-82-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2724-127-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1892-133-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2724-134-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/1892-138-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/memory/2920-143-0x0000000000400000-0x0000000000464000-memory.dmp upx behavioral1/files/0x0009000000015e94-146.dat upx behavioral1/files/0x0009000000015e94-150.dat upx behavioral1/files/0x0009000000015e94-154.dat upx behavioral1/memory/752-174-0x0000000000EE0000-0x00000000011E0000-memory.dmp upx behavioral1/memory/752-222-0x0000000000EE0000-0x00000000011E0000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\kk7c39o3719a.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\kk7c39o3719a.exe\"" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\???-LDKG91 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\taskhost.exe\"" clip.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SBADLH = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\system.exe\"" NINJA.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AUTOKEY.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4363463463464363463463463.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2k.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Restoro.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA crypted.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA done.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C9B5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NINJA.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jsc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA soft.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA images.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: lve5.exe File opened (read-only) \??\X: lve5.exe File opened (read-only) \??\I: lve5.exe File opened (read-only) \??\M: lve5.exe File opened (read-only) \??\O: lve5.exe File opened (read-only) \??\R: lve5.exe File opened (read-only) \??\W: lve5.exe File opened (read-only) \??\Z: lve5.exe File opened (read-only) \??\J: lve5.exe File opened (read-only) \??\L: lve5.exe File opened (read-only) \??\N: lve5.exe File opened (read-only) \??\Q: lve5.exe File opened (read-only) \??\T: lve5.exe File opened (read-only) \??\G: lve5.exe File opened (read-only) \??\K: lve5.exe File opened (read-only) \??\P: lve5.exe File opened (read-only) \??\S: lve5.exe File opened (read-only) \??\V: lve5.exe File opened (read-only) \??\Y: lve5.exe File opened (read-only) \??\B: lve5.exe File opened (read-only) \??\E: lve5.exe File opened (read-only) \??\H: lve5.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 14 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum images.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 done.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Restoro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 2k.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 NINJA.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 images.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum NINJA.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum jsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum done.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum Restoro.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2k.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs
pid Process 2744 2k.exe 1848 2k.exe 2692 crypted.exe 2892 AUTOKEY.exe 1900 C9B5.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 2736 Restoro.exe 2736 Restoro.exe 2736 Restoro.exe 2736 Restoro.exe 2908 NINJA.exe 1848 2k.exe 1764 jsc.exe 2124 4363463463464363463463463.exe 2908 NINJA.exe 2908 NINJA.exe 1848 2k.exe 1848 2k.exe 2908 NINJA.exe 1764 jsc.exe 1848 2k.exe 1764 jsc.exe 1764 jsc.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 2124 4363463463464363463463463.exe 1648 images.exe 1648 images.exe 1648 images.exe 1648 images.exe 876 done.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 620 set thread context of 1304 620 cayV0Deo9jSt417.exe 94 PID 2744 set thread context of 1848 2744 2k.exe 110 PID 1596 set thread context of 1540 1596 liveupdate.exe 104 PID 1392 set thread context of 2488 1392 bin.exe 113 PID 1308 set thread context of 860 1308 more.exe 125 PID 2376 set thread context of 436 2376 certutil.exe 126 PID 2548 set thread context of 1648 2548 images.exe 143 PID 1036 set thread context of 2588 1036 file.exe 145 PID 2448 set thread context of 2736 2448 SynapseExploit.exe 150 PID 3024 set thread context of 2668 3024 e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe 157 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ClocX\Lang\Portuguese.lng twty.exe File created C:\Program Files (x86)\ClocX\Lang\Simple_Chinese.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\black and steel.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\AquaB.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlueSphere2.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\DSX4.BMP twty.exe File created C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png twty.exe File created C:\Program Files (x86)\Gsoymaq.exe lve5.exe File created C:\Program Files (x86)\ClocX\Presets\CarpeDiem.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Slovenian.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlueBallStd.ini twty.exe File created C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng twty.exe File created C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\Aqua.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\iSink.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\Violeta.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Nederlands.lng twty.exe File created C:\Program Files (x86)\ClocX\Lang\Polish.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\BallClockRed.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\woodone\woodmin.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Suomi.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\Uhr.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\mars.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\woodone\woodhour.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\secondhand-7.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\VioletteKugler.ini twty.exe File created C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\Blue_sphere.bmp twty.exe File created C:\Program Files (x86)\ClocX\Sounds\ring2.mp3 twty.exe File created C:\Program Files (x86)\ClocX\Lang\Srpski.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\Neon.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Hebrew.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\CloQ.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\Wonderglobe2.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\Alte Standuhr.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\CloQ.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\IvyLace.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\NewDefault.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\minutehand-7.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\BallClockIce.bmp twty.exe File created C:\Program Files (x86)\ClocX\Presets\Jaguar2.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Japanese.lng twty.exe File created C:\Program Files (x86)\ClocX\Sounds\ring.wav twty.exe File created C:\Program Files (x86)\ClocX\Lang\Arabic.lng twty.exe File created C:\Program Files (x86)\ClocX\Lang\French.lng twty.exe File created C:\Program Files (x86)\ClocX\Lang\Espanol.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng twty.exe File created C:\Program Files (x86)\ClocX\Presets\DSX4.TXT twty.exe File created C:\Program Files (x86)\ClocX\Lang\Romanian.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\cowboy2.ini twty.exe File created C:\Program Files (x86)\ClocX\Presets\hallow.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\longhorn.png twty.exe File created C:\Program Files (x86)\ClocX\Lang\Indonesian.lng twty.exe File created C:\Program Files (x86)\ClocX\Presets\BaiWeather.png twty.exe File created C:\Program Files (x86)\ClocX\Presets\Citizen.png twty.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Panther\UnattendGC\7z.dll twty.exe File opened for modification C:\Windows\restoro.ini Restoro.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2456 1872 WerFault.exe 99 1656 2816 WerFault.exe 118 -
NSIS installer 5 IoCs
resource yara_rule behavioral1/files/0x00050000000192ff-235.dat nsis_installer_1 behavioral1/files/0x00050000000192ff-235.dat nsis_installer_2 behavioral1/files/0x000400000001d34b-1529.dat nsis_installer_1 behavioral1/files/0x000400000001d34b-1529.dat nsis_installer_2 behavioral1/files/0x000500000001db45-2641.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz lve5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C9B5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C9B5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 lve5.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2344 schtasks.exe 3052 schtasks.exe 2216 schtasks.exe 1048 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1664 timeout.exe -
Enumerates processes with tasklist 1 TTPs 4 IoCs
pid Process 2320 tasklist.exe 2244 tasklist.exe 1588 tasklist.exe 1728 tasklist.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}" twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4} twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4} twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4} twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ThreadingModel = "Apartment" twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4D7EFD-3B36-B231-2E47-CD99F96AD2A4} twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID twty.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4} twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32 twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}\InProcServer32\ = "C:\\Windows\\Panther\\UnattendGC\\7z.dll" twty.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx twty.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx\ = "{2E4D7EFD-3B36-B231-2E47-CD99F96AD2A4}" twty.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 4363463463464363463463463.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd 4363463463464363463463463.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 4363463463464363463463463.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Files\winmgmts:\localhost\root\SecurityCenter2 NINJA.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1380 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2920 lve5.exe 320 as.exe 320 as.exe 320 as.exe 320 as.exe 320 as.exe 320 as.exe 320 as.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 3048 twty.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1248 Zxgdah.exe 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif 2212 pinguin.exe 2212 pinguin.exe 1596 liveupdate.exe 1764 jsc.exe 1540 cmd.exe 1540 cmd.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe 2908 NINJA.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2908 NINJA.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious behavior: MapViewOfSection 38 IoCs
pid Process 2744 2k.exe 1596 liveupdate.exe 1540 cmd.exe 2668 e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe 1900 C9B5.exe 1900 C9B5.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 668 explorer.exe 2736 Restoro.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2124 4363463463464363463463463.exe Token: SeDebugPrivilege 320 as.exe Token: SeDebugPrivilege 1248 Zxgdah.exe Token: SeDebugPrivilege 2320 tasklist.exe Token: SeDebugPrivilege 2244 tasklist.exe Token: 33 2080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2080 AUDIODG.EXE Token: 33 2080 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2080 AUDIODG.EXE Token: SeDebugPrivilege 1764 jsc.exe Token: SeDebugPrivilege 2104 Update.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeLockMemoryPrivilege 436 explorer.exe Token: SeLockMemoryPrivilege 436 explorer.exe Token: SeDebugPrivilege 860 more.exe Token: SeDebugPrivilege 2428 powershell.exe Token: SeDebugPrivilege 1648 images.exe Token: SeDebugPrivilege 2736 AppLaunch.exe Token: SeLoadDriverPrivilege 2692 crypted.exe Token: SeDebugPrivilege 2892 AUTOKEY.exe Token: 1 2892 AUTOKEY.exe Token: SeCreateTokenPrivilege 2892 AUTOKEY.exe Token: SeAssignPrimaryTokenPrivilege 2892 AUTOKEY.exe Token: SeLockMemoryPrivilege 2892 AUTOKEY.exe Token: SeIncreaseQuotaPrivilege 2892 AUTOKEY.exe Token: SeMachineAccountPrivilege 2892 AUTOKEY.exe Token: SeTcbPrivilege 2892 AUTOKEY.exe Token: SeSecurityPrivilege 2892 AUTOKEY.exe Token: SeTakeOwnershipPrivilege 2892 AUTOKEY.exe Token: SeLoadDriverPrivilege 2892 AUTOKEY.exe Token: SeSystemProfilePrivilege 2892 AUTOKEY.exe Token: SeSystemtimePrivilege 2892 AUTOKEY.exe Token: SeProfSingleProcessPrivilege 2892 AUTOKEY.exe Token: SeIncBasePriorityPrivilege 2892 AUTOKEY.exe Token: SeCreatePagefilePrivilege 2892 AUTOKEY.exe Token: SeCreatePermanentPrivilege 2892 AUTOKEY.exe Token: SeBackupPrivilege 2892 AUTOKEY.exe Token: SeRestorePrivilege 2892 AUTOKEY.exe Token: SeShutdownPrivilege 2892 AUTOKEY.exe Token: SeDebugPrivilege 2892 AUTOKEY.exe Token: SeAuditPrivilege 2892 AUTOKEY.exe Token: SeSystemEnvironmentPrivilege 2892 AUTOKEY.exe Token: SeChangeNotifyPrivilege 2892 AUTOKEY.exe Token: SeRemoteShutdownPrivilege 2892 AUTOKEY.exe Token: SeUndockPrivilege 2892 AUTOKEY.exe Token: SeSyncAgentPrivilege 2892 AUTOKEY.exe Token: SeEnableDelegationPrivilege 2892 AUTOKEY.exe Token: SeManageVolumePrivilege 2892 AUTOKEY.exe Token: SeImpersonatePrivilege 2892 AUTOKEY.exe Token: SeCreateGlobalPrivilege 2892 AUTOKEY.exe Token: 31 2892 AUTOKEY.exe Token: 32 2892 AUTOKEY.exe Token: 33 2892 AUTOKEY.exe Token: 34 2892 AUTOKEY.exe Token: 35 2892 AUTOKEY.exe Token: 36 2892 AUTOKEY.exe Token: 37 2892 AUTOKEY.exe Token: 38 2892 AUTOKEY.exe Token: 39 2892 AUTOKEY.exe Token: 40 2892 AUTOKEY.exe Token: 41 2892 AUTOKEY.exe Token: 42 2892 AUTOKEY.exe Token: 43 2892 AUTOKEY.exe Token: 44 2892 AUTOKEY.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1988 Fighting.pif 1988 Fighting.pif 1988 Fighting.pif -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 876 done.exe 1764 jsc.exe 2744 2k.exe 2892 AUTOKEY.exe 2892 AUTOKEY.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 876 2124 4363463463464363463463463.exe 31 PID 2124 wrote to memory of 876 2124 4363463463464363463463463.exe 31 PID 2124 wrote to memory of 876 2124 4363463463464363463463463.exe 31 PID 2124 wrote to memory of 876 2124 4363463463464363463463463.exe 31 PID 2124 wrote to memory of 2920 2124 4363463463464363463463463.exe 32 PID 2124 wrote to memory of 2920 2124 4363463463464363463463463.exe 32 PID 2124 wrote to memory of 2920 2124 4363463463464363463463463.exe 32 PID 2124 wrote to memory of 2920 2124 4363463463464363463463463.exe 32 PID 2724 wrote to memory of 1892 2724 Gsoymaq.exe 34 PID 2724 wrote to memory of 1892 2724 Gsoymaq.exe 34 PID 2724 wrote to memory of 1892 2724 Gsoymaq.exe 34 PID 2724 wrote to memory of 1892 2724 Gsoymaq.exe 34 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 752 2124 4363463463464363463463463.exe 35 PID 2124 wrote to memory of 320 2124 4363463463464363463463463.exe 36 PID 2124 wrote to memory of 320 2124 4363463463464363463463463.exe 36 PID 2124 wrote to memory of 320 2124 4363463463464363463463463.exe 36 PID 2124 wrote to memory of 320 2124 4363463463464363463463463.exe 36 PID 752 wrote to memory of 744 752 Setup2010u32.exe 37 PID 752 wrote to memory of 744 752 Setup2010u32.exe 37 PID 752 wrote to memory of 744 752 Setup2010u32.exe 37 PID 752 wrote to memory of 744 752 Setup2010u32.exe 37 PID 744 wrote to memory of 1752 744 CleanUp Icons FOP.exe 44 PID 744 wrote to memory of 1752 744 CleanUp Icons FOP.exe 44 PID 744 wrote to memory of 1752 744 CleanUp Icons FOP.exe 44 PID 744 wrote to memory of 1752 744 CleanUp Icons FOP.exe 44 PID 1752 wrote to memory of 1784 1752 cmd.exe 41 PID 1752 wrote to memory of 1784 1752 cmd.exe 41 PID 1752 wrote to memory of 1784 1752 cmd.exe 41 PID 1752 wrote to memory of 1784 1752 cmd.exe 41 PID 744 wrote to memory of 1684 744 CleanUp Icons FOP.exe 40 PID 744 wrote to memory of 1684 744 CleanUp Icons FOP.exe 40 PID 744 wrote to memory of 1684 744 CleanUp Icons FOP.exe 40 PID 744 wrote to memory of 1684 744 CleanUp Icons FOP.exe 40 PID 744 wrote to memory of 1764 744 CleanUp Icons FOP.exe 39 PID 744 wrote to memory of 1764 744 CleanUp Icons FOP.exe 39 PID 744 wrote to memory of 1764 744 CleanUp Icons FOP.exe 39 PID 744 wrote to memory of 1764 744 CleanUp Icons FOP.exe 39 PID 744 wrote to memory of 1740 744 CleanUp Icons FOP.exe 43 PID 744 wrote to memory of 1740 744 CleanUp Icons FOP.exe 43 PID 744 wrote to memory of 1740 744 CleanUp Icons FOP.exe 43 PID 744 wrote to memory of 1740 744 CleanUp Icons FOP.exe 43 PID 744 wrote to memory of 856 744 CleanUp Icons FOP.exe 42 PID 744 wrote to memory of 856 744 CleanUp Icons FOP.exe 42 PID 744 wrote to memory of 856 744 CleanUp Icons FOP.exe 42 PID 744 wrote to memory of 856 744 CleanUp Icons FOP.exe 42 PID 856 wrote to memory of 548 856 cmd.exe 46 PID 856 wrote to memory of 548 856 cmd.exe 46 PID 856 wrote to memory of 548 856 cmd.exe 46 PID 856 wrote to memory of 548 856 cmd.exe 46 PID 744 wrote to memory of 1816 744 CleanUp Icons FOP.exe 47 PID 744 wrote to memory of 1816 744 CleanUp Icons FOP.exe 47 PID 744 wrote to memory of 1816 744 CleanUp Icons FOP.exe 47 PID 744 wrote to memory of 1816 744 CleanUp Icons FOP.exe 47 PID 744 wrote to memory of 2168 744 CleanUp Icons FOP.exe 48 PID 744 wrote to memory of 2168 744 CleanUp Icons FOP.exe 48 PID 744 wrote to memory of 2168 744 CleanUp Icons FOP.exe 48 PID 744 wrote to memory of 2168 744 CleanUp Icons FOP.exe 48 PID 744 wrote to memory of 1688 744 CleanUp Icons FOP.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 548 attrib.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"2⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\Files\done.exe"C:\Users\Admin\AppData\Local\Temp\Files\done.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe"C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe"C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe"C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %34⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"5⤵PID:1764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Window Title5⤵PID:1684
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp5⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\xtmp6⤵
- Views/modifies file attributes
PID:548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"5⤵PID:1740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=00255⤵
- Suspicious use of WriteProcessMemory
PID:1752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt5⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat5⤵PID:2168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat"5⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62067.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62067.exe"5⤵PID:1304
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %35⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %36⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp78067.bat"5⤵PID:792
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62067.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62067.exe"5⤵PID:1628
-
-
-
C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe"C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe" /s %24⤵
- Executes dropped EXE
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe"C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe" /s %14⤵
- Executes dropped EXE
PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\as.exe"C:\Users\Admin\AppData\Local\Temp\Files\as.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\Files\twty.exe"C:\Users\Admin\AppData\Local\Temp\Files\twty.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3048
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe"C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:2600
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:2056
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:240
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exeC:\Users\Admin\AppData\Local\Temp\Files\Zxgdah.exe4⤵
- Executes dropped EXE
PID:1652
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"3⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\System32\werfault.exe\??\C:\Windows\System32\werfault.exe4⤵PID:1420
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"3⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit4⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd5⤵
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"6⤵PID:1840
-
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe"6⤵PID:936
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir 322516⤵PID:1128
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Cock + Enhance + Forest + Grocery + Mall 32251\Fighting.pif6⤵PID:1776
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Amd + Backed 32251\Q6⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\32251\Fighting.pif32251\Fighting.pif 32251\Q6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1988
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost6⤵
- Runs ping.exe
PID:1380
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"3⤵
- Executes dropped EXE
PID:2972
-
-
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:620 -
C:\Windows\SysWOW64\clip.exe"C:\Windows\SysWOW64\clip.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
PID:1304 -
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"5⤵
- Executes dropped EXE
PID:972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"3⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 4644⤵
- Loads dropped DLL
- Program crash
PID:2456
-
-
-
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exeC:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1596 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1540 -
C:\Windows\System32\certutil.exeC:\Windows\System32\certutil.exe5⤵
- Suspicious use of SetThreadContext
PID:2376 -
C:\Windows\explorer.exeexplorer.exe6⤵
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\more.exe"C:\Users\Admin\AppData\Local\Temp\Files\more.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1308 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE24.tmp"4⤵
- Creates scheduled task(s)
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Files\more.exe"C:\Users\Admin\AppData\Local\Temp\Files\more.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit5⤵PID:1100
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'6⤵
- Creates scheduled task(s)
PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2349.tmp.bat""5⤵
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
PID:1664
-
-
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp"7⤵
- Creates scheduled task(s)
PID:2344
-
-
C:\Users\Admin\AppData\Roaming\images.exe"C:\Users\Admin\AppData\Roaming\images.exe"7⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\2k.exe"C:\Users\Admin\AppData\Local\Temp\Files\2k.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\Files\2k.exe"C:\Users\Admin\AppData\Local\Temp\Files\2k.exe"4⤵
- Looks for VMWare services registry key.
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1848
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"3⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe4⤵PID:1552
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
-
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1392 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2488
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"3⤵
- Looks for VMWare services registry key.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 14⤵PID:1936
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 15⤵
- Creates scheduled task(s)
PID:3052
-
-
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs4⤵PID:2816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 5165⤵
- Program crash
PID:1656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\file.exe"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵PID:2588
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\is-M4L34.tmp\is-5RSIS.tmp"C:\Users\Admin\AppData\Local\Temp\is-M4L34.tmp\is-5RSIS.tmp" /SL4 $501FA "C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe" 9508382 522244⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Delete /F /TN "UCR1163"5⤵PID:2168
-
-
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe"C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -i5⤵
- Executes dropped EXE
PID:2420
-
-
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe"C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -s5⤵
- Executes dropped EXE
PID:2608
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe"C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2668
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\Files\64_6666.exe"C:\Users\Admin\AppData\Local\Temp\Files\64_6666.exe"3⤵
- Executes dropped EXE
PID:1468
-
-
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe"C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe"3⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
PID:2736 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"4⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"5⤵
- Executes dropped EXE
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"4⤵PID:1544
-
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"5⤵
- Executes dropped EXE
PID:1784
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"4⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"5⤵
- Executes dropped EXE
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt4⤵PID:2076
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq RestoroMain.exe"5⤵
- Enumerates processes with tasklist
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt4⤵
- Checks whether UAC is enabled
PID:1812 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "IMAGENAME eq avupdate.exe"5⤵
- Enumerates processes with tasklist
PID:1728
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Innovations\PoseidonSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & exit2⤵
- Drops startup file
PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\32251\jsc.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\32251\jsc.exe2⤵
- Looks for VMWare services registry key.
- Executes dropped EXE
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Users\Admin\AppData\Local\Temp\C9B5.exeC:\Users\Admin\AppData\Local\Temp\C9B5.exe2⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
PID:1900 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
PID:668
-
-
-
C:\Users\Admin\AppData\Local\Temp\E6E7.exeC:\Users\Admin\AppData\Local\Temp\E6E7.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1588975771-12325888314315886331461361080691700438-136395406713561210331922805953"1⤵PID:2832
-
C:\Program Files (x86)\Gsoymaq.exe"C:\Program Files (x86)\Gsoymaq.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files (x86)\Gsoymaq.exe"C:\Program Files (x86)\Gsoymaq.exe" Win72⤵
- Executes dropped EXE
PID:1892
-
-
C:\Windows\SysWOW64\mode.commode con:cols=0080 lines=00251⤵PID:1784
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1264
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-973048715197130983-1341687536433807011129174765-19960466251124799504-1171668897"1⤵PID:1816
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0xc41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Windows\system32\taskeng.exetaskeng.exe {D2671346-7FE2-45DB-AD13-DE7322DADB41} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵PID:2284
-
C:\Users\Admin\AppData\Roaming\Windata\system.exeC:\Users\Admin\AppData\Roaming\Windata\system.exe2⤵
- Executes dropped EXE
PID:2580
-
-
C:\Users\Admin\AppData\Roaming\Windata\system.exeC:\Users\Admin\AppData\Roaming\Windata\system.exe2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-349709810-2063757049-71600924241542482914366083461667747595-271911139-80771891"1⤵PID:1720
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1476
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
7Scripting
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD53387961372fe91c2cc69b53180cbfee4
SHA1ede6fb0d2319536efca218d461425d2addffd88e
SHA256dad57975be6833c50d32ee77212addf11a80195d82365ade6042234e492bd845
SHA512f6551803b90934a5555587bc81b4758b21fc8bad1653f298846e2195c797932893d761249f9cf527e95809ffc0bfd785872f0b42f56e8adc64bdb06c63f09c5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53f4b38fed9a44672ff54d3b9d98ccaee
SHA1bc0feab189ec4f41213fe617943e4eb3ec998a41
SHA256af9e6e7a16e737306b5786e8275cc77b7bb26f5a8242d4c47e37ef2274c9b223
SHA5129b0e89b22fc3b8a61b1cdc9db3683b675e40ffd032480ff70a16f53f748e49fa12073e84236b70957c441bbe469efc7c6643b381770fa3ce880062f3c9f5c515
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a181ce8b182a575ee989c2f7347130de
SHA12947946cf9e8cc61011fb93f8d35c13501cf1247
SHA25659faa93676eca7fbf497e8976e3bd80ef6675ad45fb3dc978faa498978030614
SHA5128d2577583bcdf4478a5ffacdadc965e59069cb53cc8742fde6c6cb5bb0a065b5609cefe660ce75bf38191c20d51027354bb72bf036c4e5f1ed7c4bf07eed080e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD570383a172bee63aec4e9b98afca4d165
SHA16157ed52b9cbdec061b918745e9290c8656ed792
SHA256b85afab512b14f29aab110bab5c10eee9d5faca42097c141609e022ea54fc85d
SHA5129950bd68f23a17849dc1d0df1c24ab51b371d573a94162134bb2000429e8b0bcf5d0a0422cab940fb52d74fb99ebf98c7faf67af5490a917e3f8d01ef69cbc7e
-
Filesize
616B
MD5f45fedfcce4a78fd25ea62ce9c2f089f
SHA1ff2f255a5a9342f3b494b96bad04f3687623f0a7
SHA256355f202ffd0106f6af1810742223cd92f96a63f0e4867d963152cb52b171653b
SHA51201740f858ac78561f447710f00590f160e9faee7e7ac085ff4ccdda0ac9a0147bad8c810f52ae78cad13b8dc81f6fd2869121beb3acb3bbc04a48861bbfb59a3
-
Filesize
76KB
MD5f9bd179e7158ffa12e8ea92b8a7edacf
SHA1a9088ec6a5220d8dc2bba454ce5ed5cea66173d8
SHA2561a301b806408563449a4830c3a0d6d2761d98c86805d75a91672c717c2776b36
SHA512b5dc5f1a4168ed7bdc580d6f9ea930a1dc44377af31ad82c2ba6dd8b4964152cb66b21851190555fef8eeaf4e9f6911faf74dbaf37b5508c5dfc2816b39e6d0a
-
Filesize
233KB
MD58dc8b9bc6ba7d44f34e72d1ad1cd0ee1
SHA1520727afb5bbb90046d8ecb252f56ec6a6bebd84
SHA2568a05c6fb79b07c99af406d3a084fe0db6a8664cde9bf034e499e71c81422ce02
SHA51291ff30560432f04682d08acc8620e8511a4b67bcae25e1ed393c3b178931a02be2634266b9670f8a9166344fc05068163e727f87cfe670ff77cfc48e2dadc0dc
-
Filesize
21KB
MD5044f9f53d150bdab3e7a7b5727181102
SHA1c95c7c1a003eeff2c1b7222eca73cecea6ead949
SHA2563342a6ed58e4e6fe6566c3f379346ac96fbb5819446d67bb4b88b67729f3772f
SHA512369f999acc2c45ac784b7396a1287b9aedd02036e87b6397e01d23be9a5b5711578b9d07a65690e8aef2d081ef5cbd463f32ba6ed4f2ec692afd9c93c6b560ec
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
832KB
MD5883ddbf7e3fad1fb77291d8fa149f3fe
SHA15e02ae07dc4a1216508c1a90f6ed1ff90957902e
SHA2569c6fbaa30909c45b01dd7e7880f69ee37a1bd3cd9fda4962aa92b8f829daae2d
SHA5127fc6b2e402c9289d6f55f14f34b84d9706df9330ed4b2657cc95c63ea4f37b6b752df25aab7d7c6b6d5491362c391ec8152ff066f60c25b26cddc85fb2244d44
-
Filesize
56KB
MD597e8176d875adf30d317d4f7d123dd7e
SHA135be6c85f86f8f3f44913fd744549a2f93aa3cbf
SHA256a52a70c7f00e5e0aaad1be187d6c5d4883c7e02e0db8ef1b167b372cabee6d98
SHA512d8c5d9f5505f00d9f44e2f28df80cef46bc85782d1922b071dea67f12ea1b95b7a8bf16ac386bcb5f616528e3bf3fe294ab1abc0385607ed7a693ecaf94b32a4
-
Filesize
7KB
MD5dbfe72085ba54253275429f078307fbd
SHA11bedc6beaac9a9fbf27ef4605fcc4f4d1595e838
SHA25691429407c3dcd1947735028b7b8632187edd45bbd0e19b7ae64a9a86574c3186
SHA512a9d4a9b72b074c2ca3a6652042072eb3fc076da00d17846b407211e93ac1a16b5f2501f77304febee0cb89a06b9baf078961ab7b89a5fd128be0bd6993e2c259
-
Filesize
12.8MB
MD5558f6909629ebb3f631d16e2243031cb
SHA1c10ff85a796c09ab0cfad46e456b5eb6e458cd90
SHA256190824f892b3c85bb8922053e8f8e04e598e2ba515db2c2214b53799cf1b600c
SHA51234aa783acece86f09c052eb5912fd9753bb6ba44bc002c01842859835998be9c70afe4178ee37e730b9bd33b704da6d73776d563d2047d91d534960a01aeea7d
-
Filesize
12.8MB
MD5f33e3109c7d4ad0ac4afa61344c0942d
SHA11eb643a78aba8020a425b6592f5bf54912c188d2
SHA256f91aee120f601fb1787b6c711dff378081b75447f9514666645d15d1544b5bda
SHA512eeeec22e3a2737274262bae4ca8ab08c26210e117224b3bfd51d1296f720067df2a814a3b2a065bddafea3350d53fd9c6f4907c108c20e0c4f40ef224bcc4d97
-
Filesize
1.1MB
MD52cd9b5d48c0904c90537d3eb0f1becad
SHA170f64e9bbc1dce9efe7d4d891504bbfd56b2cdf2
SHA256b3ebb5a8630417d858f873711178365a1cc015e4a9952c9dfbb17550b3210053
SHA5123456fb10e4f3237021cd46564c9d060d529ac5950b7541c63a2502a6ca09858702493c0918064c7feab2d16ea58e0aecac681f9c36d91a763a4614f254ae17a8
-
Filesize
3.0MB
MD580d185239d0bc508cbd85e84d62b8b0c
SHA170bb4adc0138bd9d08a4479d2d9ef6bee93acdb5
SHA2566f6ee9be98feeb031891ea5849b296f2741e0bd6786ce0b4b4379841a96749dc
SHA512581e15c4e7fd8484401b9ed374bd1546c514fe6273444d4671a8890c330f7d22cfc74562e2a224a1b427902ddc957822cd7d5e683fb48ee3d4ac6c369655e4ce
-
Filesize
958KB
MD5aa3cdd5145d9fb980c061d2d8653fa8d
SHA1de696701275b01ddad5461e269d7ab15b7466d6a
SHA25641376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2
SHA5124be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32
-
Filesize
316KB
MD5cd4121ea74cbd684bdf3a08c0aaf54a4
SHA1ee87db3dd134332b815d17d717b1ed36939dfa35
SHA2564ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782
SHA512af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100
-
Filesize
420KB
MD574edc4367f0255fe8d975bf6dc564e6b
SHA1be9d7817a264e753c83f1b2b4fa31a210873bd4a
SHA2560e1e72c4c5170bb340207a3a65afa10bdef1da77c5a06bf29190ea3073ef55a6
SHA512f65da9d1f4dcfca93bb4000f7b121689d8d779e1659f02428a10fe220437cdce95b647698810c2e396cb76b996a37d4871f1db1fcdc2c5419141c75c7d23da33
-
Filesize
960KB
MD504ef0746815ef32d25110eecd7e832e4
SHA133f9bfab5e2ef06433475c0563d69ba87f6998da
SHA256aa9233a88337617bd79b083b0c55fefeffa9e8323c8fe5aade78357b2ef1053f
SHA512d000c35b12a044e03d0e18956bf627476df126714e8d7cd98de11fce1aef05620253edabfd2180b60dc105bc910ca084eb3a7820f32f46b207333082e78e23a7
-
Filesize
704KB
MD53fcb19ecec1f26ee87b44fd90921ad85
SHA1e25028b763928c7d1a3d8c33117c44cbc597c780
SHA256b8e8f05cdbed6eb8a25306f44826d87751b23bff8df43c5a34fc561fb05e7f9d
SHA5126db9bdd37b40f295137037c03efd9d87f75986b212c07b48692fd6e454ea82be15a74ba60ba60f76eb784c1e0eef2d583cc5fc83261d911ac7a5d9cad54295ba
-
C:\Users\Admin\AppData\Local\Temp\Files\e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1.exe
Filesize187KB
MD5b32fab896f5e701c1e816cd8c31c0ff5
SHA1475ed088fefe3ac3ccaf4c38868048fa7ed8ca8b
SHA256e756885f12abdf5cc8450232691a4f55c1e524262825a4a00ced4f004a2c69c1
SHA51222ed1a9afc6caca896bee0c77d0dacb9c28747986566e176cdeb72b8cb3429323d73c5da795905a08941fa480e2e690d45edf8ce7efee4a77f5ba4c5442002d0
-
Filesize
11KB
MD52a872ae7aa325dab4fd6f4d2a0a4fa21
SHA1f55588b089b75606b03415c9d887e1bdbb55a0a0
SHA256693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4
SHA512fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7
-
Filesize
120KB
MD58b004afa75742b10b3642990804f42f0
SHA1e61166dce67d30c7ebbbe1cf1a5dd5f06981251d
SHA256a4b0ee25d1fcedd5c3acb39e5a04a1b3a2e6df417d6522d96e74c1411e80df73
SHA5121f952caad6ff0b6961a6c7ff9cce889bf2a0623aabe4a3b53283d9877043aa8103690c5e30992c9753a3b7d8a99bf8bcd8672963bba5b8831a4f78952b039420
-
Filesize
2.2MB
MD51836716b2f372522b52f865d74f59dc7
SHA1f642a469e381c3ec8f3fc9d29b791baf2d654b63
SHA2568bc73b56e4f82591734a80dfae67191e5fb269ccbe313635be904d9d9f85009f
SHA512b855a1410b8b633088dab1925061d07b1c89160763c0ce70581397896cd45067c830e694176efb63e14e9bd7cec3685c8c1a66e1f454d5e1b2c6c3c17a117dd3
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
181B
MD5225edee1d46e0a80610db26b275d72fb
SHA1ce206abf11aaf19278b72f5021cc64b1b427b7e8
SHA256e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559
SHA5124f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504
-
Filesize
32B
MD5d406619e40f52369e12ae4671b16a11a
SHA19c5748148612b1eefaacf368fbf5dbcaa8dea6d0
SHA2562e340d2b9ced6ad419c031400fb974feed427cfabd0c167dea26ec732d8579be
SHA5124d9792a6427e4a48553318b4c2bac19ff729a9c0a635bc9196c33d2be5d1a224d1bac30da5f881bad6340b0235894ff020f32061a64125629848e21c879c5264
-
Filesize
3B
MD5a5ea0ad9260b1550a14cc58d2c39b03d
SHA1f0aedf295071ed34ab8c6a7692223d22b6a19841
SHA256f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04
SHA5127c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74
-
Filesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
Filesize
283KB
MD5b5887aa9fa99286a1b0692047a4bd24d
SHA1d3d72b7516000788a749d567fb4dfb17e15d43a1
SHA2569207951ffbe8e7633def52bac1d8923336874534a99ad1815d5eb64c83161bf8
SHA512cd8f9179f741a7976d5f47b070b52a260c469500881a01a20be0929d3b6ea35c38476c19a19804f55c6f3d4c19eedd617c71ddc9bd8077f9b772a7ba30e59a3a
-
Filesize
256B
MD5d0174a0fa42477e937dfb451f257e756
SHA1666af94f5d9582364a414909082cbae754fee27f
SHA256b14fc2d669f43144e5fb3dc05a606353107380de2e909d38f5815a0d7a5d8c5e
SHA5120c9e3fe3c15fd090ad9afcb4d480613bed07df23f0238526983861749dbf756a74ac0249b51443ac4222bec626cfa5f376117fe0e63c757f85a94783e6a1e980
-
Filesize
255B
MD5d3a841ba135bb1debc7927cc0beca1db
SHA1f7556c91658223c485ebe8c2d4ffd7ae352045c4
SHA256f550b8dbf82e649ed766ef6a508b1a9c88d2fd69efbd7687603449714e9b49e0
SHA5120a6f7352e54d71c4448e7c16c1a761fa6f9e016e990e45397e1fcf3a37fc6faa5ac917981db978a372f028997464fcbc0bc1e873ada8b0442c1fd364d7cdabac
-
Filesize
256B
MD5128c62d13e31b61dcc950d611729dc14
SHA171ec2893922d03545525cb74b91f433a81170233
SHA256a0d6c3ba5c5f712ba12a258c15724fdf00f7c3666eb135e6042dea35f12c2e6e
SHA51240c21cac8ab097b72d2e3b3e0dac166c4656b7a67a5bcba32b3ea0e26f0239a677eacdd46f1e6ec591b314d3eb76e9c1d1dc05ff40204278aa058ded81382f95
-
Filesize
150B
MD52e22b140bdfbeb13078fc4a273f33966
SHA10fdb21cf9d42cf154028d5b70d71b09ff17f2f80
SHA2564ab24e90545057a2cba2430de04819527168f4422dbe84bbdb89289f61b71a82
SHA512dfafd3850085f405a40d8a09f1e4cb3e5a523f51670203f5f778c1cefd99e916322b8cf00eb2a02647bc1ea67cbeeca4e7469b4286c9e95a26ac587a1b0ef644
-
Filesize
15B
MD53c52638971ead82b5929d605c1314ee0
SHA17318148a40faca203ac402dff51bbb04e638545c
SHA2565614459ec05fdf6110fa8ce54c34e859671eeffba2b7bb4b1ad6c2c6706855ab
SHA51246f85f730e3ca9a57f51416c6ab4d03f868f895568eee8f7943cd249b2f71d2a3e83c34e7132715c983d3efaa865a9cb599a4278c911130a0a6948a535c0573b
-
Filesize
574B
MD58cbae3646688783a0b5c67432be1f5bb
SHA1217effeed0793e7e08dff25501f0b5f50f6c22a7
SHA2564a3f94c5676f315b592d7b783d452b40b394fef564387079070743aa61aa724f
SHA512592a09473f0a54ea0fc91c6209d5c1de551f776a1a7c0b1b4152aec0fa058143453358a8c091d253f476a4e5c81f0c9e1f81da7cf08226ebc0be35c2e423642e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y2W764U04UM243CTX91G.temp
Filesize7KB
MD56bf86fafb571c671f1d707967f0b4414
SHA1cd9322e946680aac406aa77384989ed08884329c
SHA256b8fd5fee554d7444d1c75af445b2e4275dfed8355b4bed28247b1b8242be0efb
SHA51274b0cd8ead11e03b176a4b086f0b0180e550e69b71cc253b486690fdea4d8cf52a822c11d373fb5522e0d230e9874d27f91c3aa7d9c52469c5c32dba0f4b1d4b
-
Filesize
299KB
MD58594d64e02a9dd1fb5ab412e246fe599
SHA1d63784f4e964151b3b4e41bb5ed0c6597b56762f
SHA2561660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e
SHA512852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e
-
Filesize
817KB
MD59e870f801dd759298a34be67b104d930
SHA1c770dab38fce750094a42b1d26311fe135e961ba
SHA2566f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b
SHA512f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf
-
Filesize
1.8MB
MD538dab7e0e07f81c3dbdc5dd51929bb02
SHA1eb293f753008c5a3ebb94fb9b98c2e84412a49f2
SHA256af657d5f83665c2941c300fd515382d5950980550010e6329e57a3de4a27f008
SHA5126361f384eb73ae692492bd8fa2993cbfb54be66e58b36ab988e93293dc7637669c10f5d3b3ce565827feb2030373c3617248cdc36d963ed447b05e5e026d2e1d
-
Filesize
228KB
MD5ae7ec3a871852825d682dcef86c0e264
SHA1dce5028ffb3ff806d27d1dc5613c1d4558a6985d
SHA2562a56e7d42ba9e924540a2f4d6c233ce7f93b6437ea39291c58bfbe92dec1d476
SHA5127a6bd4a2619123a8835c7d13bac804e8fadc227100e59309ecb1bf54f9150085b9c7227a48f803cbbf2358548da353c653b1396fa09fc2ebd773ba307b4541bf
-
Filesize
9.6MB
MD58fbc1e51fb3608bfa7335db6c2cce276
SHA193de67fbc566a7222fa44e4b8d1ff8d001673e3c
SHA25692a7491e6f0bb07a15eaac07f55a1b321012d178fd7de487e83cabafdecb39a0
SHA512cc9181afc5d45b57a2ec2525de48fd397f7d6ed3b0f001b7f2cc6a9074a0f2abe045f335a98ac34ce4a269fdd9c25b414eee68efa60c4f79b87baf96e884fe64
-
Filesize
1.3MB
MD554276714de008467235d06f590be7b1a
SHA17948411fba0d27ac619d15a6a9ed58a59e01b765
SHA256d34bb3f51cd2e0628fa294d9459f58156b82ece676aa4ec78b90ad8dc484b210
SHA5128bad3a5c7adb56586973fbbcf82b1a0e771035c1e6b0c5f337b514970939480a188daeff5e2146c96d602f0e06be3e56c5653043bcb6cb85b05a800b788a3ec6
-
Filesize
14KB
MD512d26de76ef1e100a30a71c12507c8a7
SHA1f25fd83c340ad9016026417cca512bd9b7e68e09
SHA256dcf0127e63580eec43e1e7081466ab1c7b1a227f1ebb7ae55f9f6bd8e190343e
SHA512fc722b9aa576d3c313f3899a293e1a9583b9919963434f61be766a0f88e313de41f4899179240e18aa079cbf911ca63f3913de39e37f5b347ea2ae36d084c8d2
-
Filesize
443KB
MD55ac25113feaca88b0975eed657d4a22e
SHA1501497354540784506e19208ddae7cc0535df98f
SHA2569a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe
SHA512769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa
-
Filesize
896KB
MD5436e9c7442c3c0adcd9cc68ab5b6c876
SHA18196052cdafb8e20df624ec6bb474332b4f1e42f
SHA256b51496425ddc68afd70a292364ccf91b9b877d4cdafcb06028cbec7ae075e79b
SHA512edcc6db8de29519087509ffb6d84d9ce18d7268ad4cf5a95aadec075aa9d00496f99cc7c467775466daafe201c0813fb96b7452de737baf6da08475f5313a607
-
Filesize
1.2MB
MD5def3668f318bbd4f6a82fab5e2ca1128
SHA1722df05b6dc311aad47b38cd0606e6d8b08152b7
SHA2565e9fec718fcfd214a071fc921c590a5627cb5d36ced44216d02450eaea9bdcfd
SHA51227426816f68769352da1fcdd4dcb88ccfff0125cc89d975920c44f3148888665216a47274d2ab5ffc15cf9a7355ae572e766cfe5ff0060028c69fe707ea0016b
-
Filesize
4.3MB
MD5c7207f25a68d4179e9a07969de719eda
SHA1217eb428256ddb5772cd593545a53ff645b4219f
SHA256c8a83d9a856df3ce975abe0dffa5c7f0e9a22469ae21c2461cc3e9c59d541921
SHA512a39f176d2bcfaaf08dfc58d0ef2550688ff07fc8459ade5d2b86018d2fa40ab2b2c92f192f00b373854f971311e87243ce4c56167fd0caa628bb5ffa81323e0e
-
Filesize
41KB
MD5f523a939094cc8681a3636db2c8ff809
SHA1608d175fa2c86b724f8137fead60aca3fc364265
SHA25682ab2915f0c86cbdc4acc8ce4efd85af374b19d0d9f5c06006b20ba7bff56383
SHA512520551b6840cfcd397d879b7b5947c3c730f6e0accc5a138eabbfe1faa11724f8c041b9af194c42b2bd36cc872b6ec271e1d5f504cbb58214508c5592ef75e1f
-
Filesize
76KB
MD5b6ffd4a7812b0608b18c8665cf3b4b5b
SHA11a486e8281b80ddb0060a28e43ab14ee90ea4e91
SHA25623dfb2a6b53106509444bec24b9c3893a82f8f04520f03f6b1696f53d19170c5
SHA512dcb62682bd7bc0f869ae270a16062f952a96f29cfda36ac7dc82e1a1516f75c61be1f8c435cf2765172432cfab70a6ef0eda7b6db44517b063c4fae16f554c0a